Re: Comments about draft-ietf-httpbis-http2-16 : Connection reuse

> For the record, I disagree with that assessment.  There are strict
> security improvements in HTTP/2.

Yep, requiring TLS1.2+ and strong ciphers is cool :)

About this, why requiring P256 elliptic curve [FIPS186] support, which is 
*not* safe (see and not the safe Curve25519 curve 
for example ?

> Connection reuse can also provide
> non-trivial privacy advantages.

If it means same behaviour as MITM or downgrade attack…
And currently, I don’t see any of those non-trivial advantages. Do you have 
some example ?

What about TLS client auth with connection reusage ?
If dom A don’t require TLS client auth but B does, how the connection reusage 
will handle this case ? Without TLS renegociation for domain B, the HT2 user-
agent won’t be able to see there is a client certificate to send, no ?


Protégez votre vie privée, chiffrez vos communications
GPG : EFB74277 ECE4E222
OTR : 5769616D 2D3DAC72

Received on Saturday, 3 January 2015 10:23:01 UTC