Re: #612: Adopting pull #644 from Michael Sweet on 2014-11-18 (ietf-http-wg@w3.org from October to December 2014)

From: Michael Sweet <msweet@apple.com>
Date: Tue, 18 Nov 2014 07:23:34 -0500
To: Mark Nottingham <mnot@mnot.net>
Cc: HTTP <ietf-http-wg@w3.org>
Message-id: <3E3A6061-535E-4799-8C77-3F6D973E28B7@apple.com>

Mark,

I've posted this to the issue as well...

I am concerned that we are backing ourselves into a corner here - as written, INADEQUATE_SECURITY can only be used to enforce the blacklist provided in this spec, so the error might as well be called "USE_HTTP_1_1" because that will be the result.

If, however, we want to allow INADEQUATE_SECURITY for any situation where the client or server policy prohibits the use of certain cipher suites for HTTP/2 (with the default policy being the blacklist in the spec), then this language needs to be re-worded accordingly, e.g., "Endpoints MAY choose to generate a connection error of type INADEQUATE_SECURITY if the negotiated cipher suite does not meet the endpoint's minimum security requirements. The default security requirements MUST enforce the prohibited list of cipher suites."

We should probably also better document INADEQUATE_SECURITY in section 7, something like: "The negotiated TLS cipher suite does not meet minimum security requirements (see Section 9.2)."

Finally, we should say something about why we need this functionality: endpoints typically will support both HTTP/1.1 and HTTP/2, and TLS does not allow either endpoint to restrict the list of negotiated cipher suites based on the ALPN negotiated protocol (i.e. ALPN just allows the client to send a list of protocol identifiers, not identifiers + cipher suites).

> On Nov 18, 2014, at 12:06 AM, Mark Nottingham <mnot@mnot.net> wrote:
> 
> <https://github.com/http2/http2-spec/issues/612>
> 
> We discussed this issue extensively in HNL, going into the meeting with several partial proposals that had decent support.
> 
> The result of the discussion was a blacklist-oriented approach that Martin has sketched out here: <https://github.com/http2/http2-spec/pull/644>.
> 
> I think we're able to achieve consensus on that approach (delta some possible editorial work that, if necessary, can occur afterwards), and would like to confirm that on the list.
> 
> Any further comments?
> 
> Regards,
> 
> --
> Mark Nottingham   https://www.mnot.net/
> 
> 

_________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair

Received on Tuesday, 18 November 2014 12:24:05 UTC