IETF Logo Mail Archive

Re: Discussion of 9.2.2

Mark Nottingham <mnot@mnot.net> Thu, 25 September 2014 17:59 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 265DF1A01C6 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 25 Sep 2014 10:59:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.688
X-Spam-Level:
X-Spam-Status: No, score=-7.688 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.786, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QNu8QjzemOIc for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 25 Sep 2014 10:59:18 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74BBD1A0179 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 25 Sep 2014 10:59:18 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1XXDI0-0002X6-H3 for ietf-http-wg-dist@listhub.w3.org; Thu, 25 Sep 2014 17:57:12 +0000
Resent-Date: Thu, 25 Sep 2014 17:57:12 +0000
Resent-Message-Id: <E1XXDI0-0002X6-H3@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <mnot@mnot.net>) id 1XXDHb-0002WA-Ro for ietf-http-wg@listhub.w3.org; Thu, 25 Sep 2014 17:56:47 +0000
Received: from mxout-07.mxes.net ([216.86.168.182]) by maggie.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <mnot@mnot.net>) id 1XXDHa-0003nZ-D3 for ietf-http-wg@w3.org; Thu, 25 Sep 2014 17:56:47 +0000
Received: from [10.246.35.251] (unknown [207.218.72.66]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id B82EB22E2B7; Thu, 25 Sep 2014 13:56:23 -0400 (EDT)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <C3FE3757-2BED-41F6-8D2C-C36E29C5C950@redhat.com>
Date: Thu, 25 Sep 2014 18:56:21 +0100
Cc: Martin Thomson <martin.thomson@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <7A1E6A5E-02EC-4DB7-A078-E0BF7F89B70D@mnot.net>
References: <F0D4BA2A-46B2-4F1A-8A23-1A319A3E5FC0@mnot.net> <CABkgnnV0HFeshNAe9CAzFDeED6Os_GmG6kxm827N18wduCkjiA@mail.gmail.com> <C3FE3757-2BED-41F6-8D2C-C36E29C5C950@redhat.com>
To: Jason Greene <jason.greene@redhat.com>
X-Mailer: Apple Mail (2.1878.6)
Received-SPF: pass client-ip=216.86.168.182; envelope-from=mnot@mnot.net; helo=mxout-07.mxes.net
X-W3C-Hub-Spam-Status: No, score=-1.8
X-W3C-Hub-Spam-Report: AWL=-1.123, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: maggie.w3.org 1XXDHa-0003nZ-D3 bbb2fa1105adbb81d7fb4f6e21364895
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Discussion of 9.2.2
Archived-At: <http://www.w3.org/mid/7A1E6A5E-02EC-4DB7-A078-E0BF7F89B70D@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/27242
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Jason,

On 25 Sep 2014, at 6:20 pm, Jason Greene <jason.greene@redhat.com> wrote:
> 1. H2 stack X, running on System A hard codes all known H2 compliant 1.2 ciphers
> 2. Time goes by, and a new stronger cipher C is released (either based on aero, or maybe just a new aead cipher in 1.3)
> 3. System B is a high security site and only allows cipher C

which is not conformant with "implementations of HTTP/2 that use TLS 1.2 MUST support TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 [TLS-ECDHE] with P256 [FIPS186].” (9.2.2) — assuming it’s still 1.2 (see below). You’re building a straw-man here...

> 4. The administrator on System A installs a TLS stack update to latest 1.3, which contains cipher C, so that A can talk to B

If both parties both speak 1.3, 9.2.2 doesn’t apply, as per recent discussion.

> 5. A now can’t talk to B, and the administrator can’t figure out why, and probably begrudges the switch to H2

See recent discussion regarding the language regarding unknown ciphers. Please address that proposal (mine or Martin’s).


Cheers,

--
Mark Nottingham   http://www.mnot.net/

v2.46.0 | Report a Bug | By Email | System Status