- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Wed, 27 Jan 2016 09:04:09 +1100
- To: Ilari Liusvaara <ilariliusvaara@welho.com>
- Cc: Mike Bishop <Michael.Bishop@microsoft.com>, HTTP Working Group <ietf-http-wg@w3.org>
Thanks for the prompt feedback Ilari, On 27 January 2016 at 08:38, Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > - Needs to require EMS or TLS 1.3. Any use of TLS-EXPORTER for auth on > connections vulernable to THS is no-no. Yes, absolutely. > - What does "future streams associated with this request" mean exactly. > Covering a stream client did not intend to is no-no. Context? > - How does client revoke AUTOMATIC_USE on some certificate (or all > certificates) in sequentially consistent way? For the same reasons > as previous. GOAWAY & close. Note that you might be better off asking for the removal of AUTOMATIC_USE if this is a concern you have. Also note that you are asking for a level of control that the server doesn't get. > - Why 1024 byte exporter output? That seems excessively large. 64 > bytes is already 512 bits, which is high even if actual security > is cut in half somehow. Hmm, yes, 64 bytes is plenty. > - There are all sorts of crappy TLS HashAndSignatureAlgorithm values > that need forbidding, like DSA or ones using MD5 or SHA1. Good point. We should limit this to DSA with SHA1.
Received on Tuesday, 26 January 2016 22:04:36 UTC