Re: #612: Adopting pull #644

tl;dr: new PR:
On 20 November 2014 15:47, Mark Nottingham <mnot@mnot.net> wrote:
> What do people thing about changing this text:
>
> """
> A deployment of HTTP/2 over TLS 1.2 MUST NOT use any of the cipher suites that are only be used with cipher suites that are listed in <xref target="BadCipherSuites"/>
> """
>
> to a SHOULD NOT?

I've prepared the draft with a SHOULD.  And noted the risks...

On 20 November 2014 15:50, Mark Nottingham <mnot@mnot.net> wrote:
> On 18 Nov 2014, at 7:36 pm, Yoav Nir <ynir.ietf@gmail.com> wrote:
>> Regardless, unlike MAY and MUST, you can’t just use “SHOULD” and “SHOULD NOT” in a document. They require an explanation of why you should not, and under what circumstances your are allowed to do that something that your should not do.
>
[...]
>> So, if we agree with you, we need to complete the sentence, “HTTP/2.0 clients and server SHOULD NOT use ciphers from this list unless …”
>
> "... unless the server is deployed to communicate with a known population of clients, or is willing to accept that some clients will refuse to communicate with it."

I've not chosen that precise form (it's clunky without the connection
error being introduced).  But I think that I've framed it in a way
that should avoid a DISCUSS target.

>> Finally, we should say something about why we need this functionality: endpoints typically will support both HTTP/1.1 and HTTP/2, and TLS does not allow either endpoint to restrict the list of negotiated cipher suites based on the ALPN negotiated protocol (i.e. ALPN just allows the client to send a list of protocol identifiers, not identifiers + cipher suites).
>
> I think that's good editorial input for Martin.

Text to that effect has been in the document for ages, though it was
removed in the PR.  I'll try to find a way to have it return in some
fashion.

...I've also tried to fix some wording contortions around the TLS
1.2/1.3+ split here.

Received on Friday, 21 November 2014 07:05:32 UTC