W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

Re: CSP: Minimum cipher strength

From: Tom Ritter <tom@ritter.vg>
Date: Sat, 13 Sep 2014 20:35:06 -0500
Message-ID: <CA+cU71=+RdVHt2Bw8nYzS4WFsr5t0ZR-5vk3Yvd+eqvTxHXHpw@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 10 September 2014 17:29, Ryan Sleevi <sleevi@google.com> wrote:
> In more recent years, this has come up again with "mixed-HSTS" and
> "mixed-HPKP" discussions (which, unlike Mike, I don't think are a good place
> to express these sorts of policies), which themselves then became part of
> Joe Bonneau's overall secure-links scheme (see http://www.secure-links.org/
> )

And 'mixed client authentication'.

> Ultimately, I agree with Mike - the solution to solve this (generally) is
> for UAs to start deprecating things. We're already seeing this with SHA-1 (
> *cough* ), and I think it's very likely we'll start seeing with both TLS
> versions and cipher configurations (that we haven't already is more due to
> oversight than lack of enthusiasm)

++  I also see a problem that limiting the domain to example.com to
load a resource off a CDN has the existing implicit contract that the
resource will not change to start loading content off another domain.
No such implicit contract exists for ciphersuites, limiting the

Received on Sunday, 14 September 2014 01:35:53 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:40 UTC