Re: Discussion of 9.2.2
Greg Wilkins <gregw@intalio.com> Thu, 25 September 2014 18:15 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1CF01A8772 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 25 Sep 2014 11:15:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.065
X-Spam-Level:
X-Spam-Status: No, score=-7.065 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.786, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HnG4lI4nI_-Y for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 25 Sep 2014 11:15:18 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 430451A8754 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 25 Sep 2014 11:15:18 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1XXDX7-00032N-1y for ietf-http-wg-dist@listhub.w3.org; Thu, 25 Sep 2014 18:12:49 +0000
Resent-Date: Thu, 25 Sep 2014 18:12:49 +0000
Resent-Message-Id: <E1XXDX7-00032N-1y@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <gregw@intalio.com>) id 1XXDWo-000319-WC for ietf-http-wg@listhub.w3.org; Thu, 25 Sep 2014 18:12:31 +0000
Received: from mail-we0-f172.google.com ([74.125.82.172]) by maggie.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <gregw@intalio.com>) id 1XXDWn-0004JP-Cw for ietf-http-wg@w3.org; Thu, 25 Sep 2014 18:12:30 +0000
Received: by mail-we0-f172.google.com with SMTP id p10so7999288wes.3 for <ietf-http-wg@w3.org>; Thu, 25 Sep 2014 11:12:02 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=t7ogmcPoVStGF74Sp81R9ZJmTNQAlMXVSIUjEwASpJE=; b=FwMzLY3nfoSg9F5qUtGq30esaDiPC41SIhgLkfZR+d7e656OIB4QQvFZlQSHef8AwK hSUGJDicM3ZcYwDbj+4ZsNFUfbOsL+exa7/Wx47+I23h6zBpGPj2zLphWjw8K8DJ9szO laNbUSJHXO3WsrORRIV70N1EF1pdsueGGtUXgWABBLooJ6wy2wJP3SxoVqIM1b4a+syP yR3ftpIUAlJgrzasOgYEFHfDlT5LqCp+3Q8cabpFjX5+eFKoDqL7L8mgDdyaq5aUaWts WCxm3pxiHaN3jyrea+/2Z+MzCbcaQ0f3w/S1skGho8obkAOl051r5OFtLbueIwHOiz+h oAVg==
X-Gm-Message-State: ALoCoQnso4SBhaoQyNa5bjvTIy572fCBGSVfrktN+Q9JU/6AdhxiKKRIG1n13oN9rwFwEfvLAnDs
MIME-Version: 1.0
X-Received: by 10.194.103.200 with SMTP id fy8mr5390311wjb.123.1411668722680; Thu, 25 Sep 2014 11:12:02 -0700 (PDT)
Received: by 10.194.169.98 with HTTP; Thu, 25 Sep 2014 11:12:02 -0700 (PDT)
In-Reply-To: <CABcZeBO46e9TpL_kksL5khPx0zbHv0Y3ZD1kp9ka8tzbMf5yhg@mail.gmail.com>
References: <F0D4BA2A-46B2-4F1A-8A23-1A319A3E5FC0@mnot.net> <CABkgnnV0HFeshNAe9CAzFDeED6Os_GmG6kxm827N18wduCkjiA@mail.gmail.com> <CAH_y2NFu=kyTVK_neACEVyWp9m4wfLOUu-=Dc9nZoMhP+fNSsg@mail.gmail.com> <CABcZeBMOqi+5LFzf1MmQuuW+4O7Pmvky68riNqtJDcbzQnvQig@mail.gmail.com> <CAH_y2NHCXamQrPQZyezkJ-NSZUPTdqjbyTDNufbJSiQ1q_QMjg@mail.gmail.com> <CABcZeBO46e9TpL_kksL5khPx0zbHv0Y3ZD1kp9ka8tzbMf5yhg@mail.gmail.com>
Date: Fri, 26 Sep 2014 04:12:02 +1000
Message-ID: <CAH_y2NGzOhQmLE_n77BLckWZFh-CmCfsJmFwBihFBt8-vR+giA@mail.gmail.com>
From: Greg Wilkins <gregw@intalio.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Martin Thomson <martin.thomson@gmail.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="047d7bfe9522c1a2a00503e7bc6b"
Received-SPF: permerror client-ip=74.125.82.172; envelope-from=gregw@intalio.com; helo=mail-we0-f172.google.com
X-W3C-Hub-Spam-Status: No, score=-3.8
X-W3C-Hub-Spam-Report: AWL=-3.100, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7
X-W3C-Scan-Sig: maggie.w3.org 1XXDWn-0004JP-Cw e47ae5c6ad2a1d856045d8d818900ead
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Discussion of 9.2.2
Archived-At: <http://www.w3.org/mid/CAH_y2NGzOhQmLE_n77BLckWZFh-CmCfsJmFwBihFBt8-vR+giA@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/27243
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On 26 September 2014 03:05, Eric Rescorla <ekr@rtfm.com> wrote: > Isn't that only true if we add a new non-AEAD ciphersuite in NSS and then > forget > to update the code in Firefox? > Let's say that a new non-AEAD cipher is added in the future. At some point in time there is going to be a split population of FF deployed, some that do know about it and some that don't. Those that don't might still offer the cipher because it is a good desirable cipher for h1. So we are back to servers not knowing if a client is offering a cipher as a h2 acceptable one or not. Now judging from Patrick's response in this thread, it might not be a problem for FF if they have to explicitly white list new ciphers (so they can change that code at the same), but it may be that new ciphers are added to FF by plugin or other configurations. Also, other clients may not be so rigorous about vetting new ciphers, and may still have the same isAEAD() test instead of the more correct !isBlock()&&!isStream() A handshake that relies on good cipher vetting of the client to work is a fragile handshake. The point being that the current text in 9.2.2 encourages implementations to tread AEAD as a sufficient and necessary condition for a cipher, when in fact it is just sufficient and not necessary. If 9.2.2 explicitly said how future new classes of ciphers should be handled, then we'd avoid this. cheers -- Greg Wilkins <gregw@intalio.com> http://eclipse.org/jetty HTTP, SPDY, Websocket server and client that scales http://www.webtide.com advice and support for jetty and cometd.
- Discussion of 9.2.2 Mark Nottingham
- Re: Discussion of 9.2.2 Roland Zink
- Re: Discussion of 9.2.2 Greg Wilkins
- Re: Discussion of 9.2.2 Jason Greene
- Re: Discussion of 9.2.2 Martin Thomson
- Re: Discussion of 9.2.2 Greg Wilkins
- Re: Discussion of 9.2.2 Eric Rescorla
- Re: Discussion of 9.2.2 Roland Zink
- Re: Discussion of 9.2.2 Greg Wilkins
- Re: Discussion of 9.2.2 Eric Rescorla
- Re: Discussion of 9.2.2 Michael Sweet
- Re: Discussion of 9.2.2 Jason Greene
- Re: Discussion of 9.2.2 Ilari Liusvaara
- Re: Discussion of 9.2.2 Patrick McManus
- Re: Discussion of 9.2.2 Mark Nottingham
- Re: Discussion of 9.2.2 Greg Wilkins
- Re: Discussion of 9.2.2 Greg Wilkins
- Re: Discussion of 9.2.2 Jason Greene
- Re: Discussion of 9.2.2 Julian Reschke
- Re: Discussion of 9.2.2 Martin Thomson
- Re: Discussion of 9.2.2 Michael Sweet
- Re: Discussion of 9.2.2 Jason Greene
- Re: Discussion of 9.2.2 Eric Rescorla
- Re: Discussion of 9.2.2 Jason Greene
- Re: Discussion of 9.2.2 Jason Greene
- Re: Discussion of 9.2.2 Michael Sweet
- Re: Discussion of 9.2.2 Greg Wilkins
- Re: Discussion of 9.2.2 Willy Tarreau
- Re: Discussion of 9.2.2 Martin Nilsson
- Re: Discussion of 9.2.2 Jason Greene
- Re: Discussion of 9.2.2 Michael Sweet
- Re: Discussion of 9.2.2 Greg Wilkins
- Re: Discussion of 9.2.2 Martin Nilsson