On Sun, 18 Dec 2011 13:12:57 +0100, Eric Rescorla <[email protected]> wrote:
Sorry, I forgot to mention the 1/n+1 splitting countermeasure in my
response.
With that said, this isn't TLS 1.1, but rather a specific, more
backwards-compatible countermeasure. It's fine for the security
considerations section to say here that browsers must do either TLS 1.1
or 1/n+1 splitting, but it should say something, since it's not like
1/n+1 splitting is required by TLS (any version).
Who's in charge of updating TLS? Surely this should be patched in the base
specification rather than in every API that interacts with it. I do not
want to make the life of the guy implementing XMLHttpRequest more
difficult if the problem is supposed to be addressed at the TLS layer
anyway.
--
Anne van Kesteren
http://annevankesteren.nl/
