- From: Mike Bishop <Michael.Bishop@microsoft.com>
- Date: Tue, 18 Nov 2014 08:09:00 +0000
- To: Mark Nottingham <mnot@mnot.net>, HTTP <ietf-http-wg@w3.org>
I continue to object to the idea that HTTP/2 "MUST NOT" use the ciphers on the list, for the reasons that we, Roy, and others have outlined. > SHOULD NOT > This phrase, or the phrase "NOT RECOMMENDED" mean that > there may exist valid reasons in particular circumstances when the > particular behavior is acceptable or even useful, but the full > implications should be understood and the case carefully weighed > before implementing any behavior described with this label. The definition from 2119 reads exactly like cipher suite selection -- there may be valid reasons to use (some of) these cipher suites, but you do need to think carefully before making that choice because it's certainly not universal. Peers who see one of these suites SHOULD send INADEQUATE_SECURITY -- the corollary to that is that these cipher suites SHOULD NOT be used. Otherwise, we're veering into RFC 6919. However, the gist of the pull request reflects my understanding of the room's compromise from HNL, yes. If the WG as a whole wants to move forward with the MUST NOT, I'm willing to be in the rough here. Close enough. -----Original Message----- From: Mark Nottingham [mailto:mnot@mnot.net] Sent: Monday, November 17, 2014 9:07 PM To: HTTP Subject: #612: Adopting pull #644 <https://github.com/http2/http2-spec/issues/612> We discussed this issue extensively in HNL, going into the meeting with several partial proposals that had decent support. The result of the discussion was a blacklist-oriented approach that Martin has sketched out here: <https://github.com/http2/http2-spec/pull/644>. I think we're able to achieve consensus on that approach (delta some possible editorial work that, if necessary, can occur afterwards), and would like to confirm that on the list. Any further comments? Regards, -- Mark Nottingham https://www.mnot.net/
Received on Tuesday, 18 November 2014 08:09:30 UTC