- From: Eric Rescorla <ekr@rtfm.com>
- Date: Tue, 20 Dec 2011 12:06:28 -0800
- To: Anne van Kesteren <annevk@opera.com>
- Cc: public-webapps@w3.org
On Tue, Dec 20, 2011 at 9:36 AM, Anne van Kesteren <annevk@opera.com> wrote: > On Sun, 18 Dec 2011 13:12:57 +0100, Eric Rescorla <ekr@rtfm.com> wrote: >> >> Sorry, I forgot to mention the 1/n+1 splitting countermeasure in my >> response. >> >> With that said, this isn't TLS 1.1, but rather a specific, more >> backwards-compatible countermeasure. It's fine for the security >> considerations section to say here that browsers must do either TLS 1.1 or >> 1/n+1 splitting, but it should say something, since it's not like 1/n+1 >> splitting is required by TLS (any version). > > > Who's in charge of updating TLS? Me. > Surely this should be patched in the base > specification rather than in every API that interacts with it. I do not want > to make the life of the guy implementing XMLHttpRequest more difficult if > the problem is supposed to be addressed at the TLS layer anyway. The problem was addressed at the TLS layer 5 years ago when we issued TLS 1.1. -Ekr
Received on Tuesday, 20 December 2011 20:07:40 UTC