Hiya, On 09/17/2013 01:25 PM, Jari Arkko wrote: > Thanks for the list, Stephen. I also made a short list yesterday for > other purposes. The items not on your list yet were: > > HTTP 2.0 security becoming somehow more widely turned on than we have > on current HTTP. Curent spec says it is required to implement, see > http://tools.ietf.org/html/draft-ietf-httpbis-http2-06#section-9.2 > and the topic is also discussed in here: > http://tools.ietf.org/agenda/87/slides/slides-87-httpbis-3.pdf
Right. I think there may be a draft popping out on that soonish so I was gonna wait for that. But yes, that's a major topic of interest so I hope to add an item to the list for that once it gets a little more concrete. > I think I saw a discussion about reducing fingerprinting > possibilities for web traffic somewhere. The UA string discussion won't result in changes I think. That's a pity but a) its probably too ingrained in web sites to change and b) its probably only a minor fingerprinting technique so on balance we might have to put this one down as nice to have but not practically changeable. The gmt time in TLS discussion is similar, but seems much more like its a change that can be easily done. > Did we have a discussion of PFS in TLS somewhere? Yep, that'll be more explicit in Yaron's -01 draft I hope but is implicitly there now. > And there is a category of actions we could take, but are not > technical improvements themselves. For instance, we could more > aggressively deprecate algorithms known to have issues. Or we could > launch a review of various security mechanisms or even other > protocols to find areas that need improvement. Sure. Different list though. S. > > Jari > > _______________________________________________ perpass mailing list > [email protected] https://www.ietf.org/mailman/listinfo/perpass > > _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
