The HTTP/2 RFC should not mandate RSA certificates from Anmol Sethi on 2017-10-30 (ietf-http-wg@w3.org from October to December 2017)

From: Anmol Sethi <me@anmol.io>
Date: Mon, 30 Oct 2017 18:58:37 -0400
To: ietf-http-wg@w3.org
Message-Id: <4D763F46-6D5E-4E22-88D6-EA157BBD6640@anmol.io>

Hello,

Late last year, I submitted a patch to Go’s HTTP/2 library to allow the TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher as an alternative MTI cipher to the TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 cipher that the HTTP/2 RFC mandates.

My reasoning for this patch is that many servers only use ECDSA certificates and so the TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 cipher will never be used in those situations and thus we should allow TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 as an alternative MTI cipher.

See https://go-review.googlesource.com/c/net/+/30721 <https://go-review.googlesource.com/c/net/+/30721> for further information and discussion.

After some discussion and feedback on my patch, it seems this may be a spec bug.

So is this a spec bug? Is it alright to allow TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 as an alternative MTI cipher?

Regards,
Anmol

Received on Monday, 30 October 2017 22:59:01 UTC