Re: Comments about draft-ietf-httpbis-http2-16 : Connection reuse from Aeris on 2015-01-03 (ietf-http-wg@w3.org from January to March 2015)

From: Aeris <aeris@imirhil.fr>
Date: Sat, 03 Jan 2015 11:22:31 +0100
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Ryan Hamilton <rch@google.com>, Ilari Liusvaara <ilari.liusvaara@elisanet.fi>, Patrick McManus <pmcmanus@mozilla.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <1720086.nFQeSb8Pcc@home>

> For the record, I disagree with that assessment.  There are strict
> security improvements in HTTP/2.

Yep, requiring TLS1.2+ and strong ciphers is cool :)

About this, why requiring P256 elliptic curve [FIPS186] support, which is 
*not* safe (see http://safecurves.cr.yp.to/) and not the safe Curve25519 curve 
for example ?

> Connection reuse can also provide
> non-trivial privacy advantages.

If it means same behaviour as MITM or downgrade attack…
And currently, I don’t see any of those non-trivial advantages. Do you have 
some example ?

What about TLS client auth with connection reusage ?
If dom A don’t require TLS client auth but B does, how the connection reusage 
will handle this case ? Without TLS renegociation for domain B, the HT2 user-
agent won’t be able to see there is a client certificate to send, no ?

Regards,
-- 
Aeris

Protégez votre vie privée, chiffrez vos communications
GPG : EFB74277 ECE4E222
OTR : 5769616D 2D3DAC72
https://café-vie-privée.fr/

Received on Saturday, 3 January 2015 10:23:01 UTC