- From: Ilari Liusvaara <ilariliusvaara@welho.com>
- Date: Tue, 26 Jan 2016 23:38:13 +0200
- To: Mike Bishop <Michael.Bishop@microsoft.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On Tue, Jan 26, 2016 at 08:23:00PM +0000, Mike Bishop wrote: > Based on feedback from this WG in Yokohama and on-list feedback from > the TLS WG, Martin and I have a new (largely rewritten) version of > the client cert draft. As I promised Mark, people will hate it, but > they will at least hate it in different ways than the previous version! Some quick comments (some less sensible, some more sensible): - Needs to require EMS or TLS 1.3. Any use of TLS-EXPORTER for auth on connections vulernable to THS is no-no. - What does "future streams associated with this request" mean exactly. Covering a stream client did not intend to is no-no. - How does client revoke AUTOMATIC_USE on some certificate (or all certificates) in sequentially consistent way? For the same reasons as previous. - Why 1024 byte exporter output? That seems excessively large. 64 bytes is already 512 bits, which is high even if actual security is cut in half somehow. - There are all sorts of crappy TLS HashAndSignatureAlgorithm values that need forbidding, like DSA or ones using MD5 or SHA1. -Ilari
Received on Tuesday, 26 January 2016 21:38:44 UTC