W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

Re: CSP: Minimum cipher strength

From: Tom Ritter <tom@ritter.vg>
Date: Sat, 13 Sep 2014 20:35:06 -0500
Message-ID: <CA+cU71=+RdVHt2Bw8nYzS4WFsr5t0ZR-5vk3Yvd+eqvTxHXHpw@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 10 September 2014 17:29, Ryan Sleevi <sleevi@google.com> wrote:
> In more recent years, this has come up again with "mixed-HSTS" and
> "mixed-HPKP" discussions (which, unlike Mike, I don't think are a good place
> to express these sorts of policies), which themselves then became part of
> Joe Bonneau's overall secure-links scheme (see http://www.secure-links.org/
> )

And 'mixed client authentication'.

> Ultimately, I agree with Mike - the solution to solve this (generally) is
> for UAs to start deprecating things. We're already seeing this with SHA-1 (
> *cough* ), and I think it's very likely we'll start seeing with both TLS
> versions and cipher configurations (that we haven't already is more due to
> oversight than lack of enthusiasm)

++  I also see a problem that limiting the domain to example.com to
load a resource off a CDN has the existing implicit contract that the
resource will not change to start loading content off another domain.
No such implicit contract exists for ciphersuites, limiting the
usefulness.

-tom
Received on Sunday, 14 September 2014 01:35:53 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC