Re: Discussion of 9.2.2
Jason Greene <jason.greene@redhat.com> Thu, 25 September 2014 18:28 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7EB781A8775 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 25 Sep 2014 11:28:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.688
X-Spam-Level:
X-Spam-Status: No, score=-7.688 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.786, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7a3otwkqJRRg for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 25 Sep 2014 11:28:54 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2938C1A875B for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 25 Sep 2014 11:28:53 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1XXDjo-0003EM-Sp for ietf-http-wg-dist@listhub.w3.org; Thu, 25 Sep 2014 18:25:56 +0000
Resent-Date: Thu, 25 Sep 2014 18:25:56 +0000
Resent-Message-Id: <E1XXDjo-0003EM-Sp@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <jason.greene@redhat.com>) id 1XXDjS-0003DZ-F1 for ietf-http-wg@listhub.w3.org; Thu, 25 Sep 2014 18:25:34 +0000
Received: from mx1.redhat.com ([209.132.183.28]) by maggie.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <jason.greene@redhat.com>) id 1XXDjR-0004ly-4i for ietf-http-wg@w3.org; Thu, 25 Sep 2014 18:25:34 +0000
Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s8PIOxxv025524 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Thu, 25 Sep 2014 14:25:00 -0400
Received: from [10.10.57.153] (vpn-57-153.rdu2.redhat.com [10.10.57.153]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s8PIOuij018089 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Thu, 25 Sep 2014 14:24:57 -0400
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Jason Greene <jason.greene@redhat.com>
In-Reply-To: <7A1E6A5E-02EC-4DB7-A078-E0BF7F89B70D@mnot.net>
Date: Thu, 25 Sep 2014 13:24:55 -0500
Cc: Martin Thomson <martin.thomson@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <EB0F0014-446D-4844-A2C2-E36E8B7A53A4@redhat.com>
References: <F0D4BA2A-46B2-4F1A-8A23-1A319A3E5FC0@mnot.net> <CABkgnnV0HFeshNAe9CAzFDeED6Os_GmG6kxm827N18wduCkjiA@mail.gmail.com> <C3FE3757-2BED-41F6-8D2C-C36E29C5C950@redhat.com> <7A1E6A5E-02EC-4DB7-A078-E0BF7F89B70D@mnot.net>
To: Mark Nottingham <mnot@mnot.net>
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26
Received-SPF: pass client-ip=209.132.183.28; envelope-from=jason.greene@redhat.com; helo=mx1.redhat.com
X-W3C-Hub-Spam-Status: No, score=-6.3
X-W3C-Hub-Spam-Report: AWL=-0.582, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.735, SPF_HELO_PASS=-0.001
X-W3C-Scan-Sig: maggie.w3.org 1XXDjR-0004ly-4i 322dfc1f86f55c10d94805cf8b8644a7
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Discussion of 9.2.2
Archived-At: <http://www.w3.org/mid/EB0F0014-446D-4844-A2C2-E36E8B7A53A4@redhat.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/27245
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On Sep 25, 2014, at 12:56 PM, Mark Nottingham <mnot@mnot.net> wrote: > Jason, > > On 25 Sep 2014, at 6:20 pm, Jason Greene <jason.greene@redhat.com> wrote: >> 1. H2 stack X, running on System A hard codes all known H2 compliant 1.2 ciphers >> 2. Time goes by, and a new stronger cipher C is released (either based on aero, or maybe just a new aead cipher in 1.3) >> 3. System B is a high security site and only allows cipher C > > which is not conformant with "implementations of HTTP/2 that use TLS 1.2 MUST support TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 [TLS-ECDHE] with P256 [FIPS186].” (9.2.2) — assuming it’s still 1.2 (see below). You’re building a straw-man here... > >> 4. The administrator on System A installs a TLS stack update to latest 1.3, which contains cipher C, so that A can talk to B > > If both parties both speak 1.3, 9.2.2 doesn’t apply, as per recent discussion. The problem is you do not know whether or not the peer is 1.3 until after negotiation, and cipher suite restrictions are specified in advance, and you can’t restrict to 1.3 only if you intend to support h1 usage (or 1.2 h2 clients) on the same port. The best you could probably do is retry the connection with a 1.3 restriction enabled and the cipher restrictions dropped, which defeats the lightweight establishment benefit of H2. > >> 5. A now can’t talk to B, and the administrator can’t figure out why, and probably begrudges the switch to H2 > > See recent discussion regarding the language regarding unknown ciphers. Please address that proposal (mine or Martin’s). > I was replying to Martin’s version. I was saying that the only way to meet that version of text is to either have a rich characteristics and priority API which isn’t prevalent today (see Michael Sweet’s most recent email), OR to hardcode the complete list (assuming the TLS stack allows a priority ordered list). -- Jason T. Greene WildFly Lead / JBoss EAP Platform Architect JBoss, a division of Red Hat
- Discussion of 9.2.2 Mark Nottingham
- Re: Discussion of 9.2.2 Roland Zink
- Re: Discussion of 9.2.2 Greg Wilkins
- Re: Discussion of 9.2.2 Jason Greene
- Re: Discussion of 9.2.2 Martin Thomson
- Re: Discussion of 9.2.2 Greg Wilkins
- Re: Discussion of 9.2.2 Eric Rescorla
- Re: Discussion of 9.2.2 Roland Zink
- Re: Discussion of 9.2.2 Greg Wilkins
- Re: Discussion of 9.2.2 Eric Rescorla
- Re: Discussion of 9.2.2 Michael Sweet
- Re: Discussion of 9.2.2 Jason Greene
- Re: Discussion of 9.2.2 Ilari Liusvaara
- Re: Discussion of 9.2.2 Patrick McManus
- Re: Discussion of 9.2.2 Mark Nottingham
- Re: Discussion of 9.2.2 Greg Wilkins
- Re: Discussion of 9.2.2 Greg Wilkins
- Re: Discussion of 9.2.2 Jason Greene
- Re: Discussion of 9.2.2 Julian Reschke
- Re: Discussion of 9.2.2 Martin Thomson
- Re: Discussion of 9.2.2 Michael Sweet
- Re: Discussion of 9.2.2 Jason Greene
- Re: Discussion of 9.2.2 Eric Rescorla
- Re: Discussion of 9.2.2 Jason Greene
- Re: Discussion of 9.2.2 Jason Greene
- Re: Discussion of 9.2.2 Michael Sweet
- Re: Discussion of 9.2.2 Greg Wilkins
- Re: Discussion of 9.2.2 Willy Tarreau
- Re: Discussion of 9.2.2 Martin Nilsson
- Re: Discussion of 9.2.2 Jason Greene
- Re: Discussion of 9.2.2 Michael Sweet
- Re: Discussion of 9.2.2 Greg Wilkins
- Re: Discussion of 9.2.2 Martin Nilsson