Re: 9.2.2 Cipher fallback and FF<->Jetty interop problem from Roy T. Fielding on 2014-09-18 (ietf-http-wg@w3.org from July to September 2014)

From: Roy T. Fielding <fielding@gbiv.com>
Date: Thu, 18 Sep 2014 08:41:59 -0700
To: Greg Wilkins <gregw@intalio.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <C76D7E6B-06BA-4FF1-B0AF-804AC118A38E@gbiv.com>

I still don't believe that any of these requirements belong in h2,
and I won't implement them even if they end up in the RFC.  It is
not the HTTP server's responsibility to second-guess the configuration
regarding the security properties of the underlying connections.
We have no idea what hardware or gateways might be doing to secure those
connections.  We don't even know what TLS library is being used,
since all we see is an API into someone else's code.

TLS requirements belong in the TLS code.

....Roy

Received on Thursday, 18 September 2014 15:42:14 UTC