On Tue, Dec 20, 2011 at 9:36 AM, Anne van Kesteren <ann...@opera.com> wrote: > On Sun, 18 Dec 2011 13:12:57 +0100, Eric Rescorla <e...@rtfm.com> wrote: >> >> Sorry, I forgot to mention the 1/n+1 splitting countermeasure in my >> response. >> >> With that said, this isn't TLS 1.1, but rather a specific, more >> backwards-compatible countermeasure. It's fine for the security >> considerations section to say here that browsers must do either TLS 1.1 or >> 1/n+1 splitting, but it should say something, since it's not like 1/n+1 >> splitting is required by TLS (any version). > > > Who's in charge of updating TLS?
Me. > Surely this should be patched in the base > specification rather than in every API that interacts with it. I do not want > to make the life of the guy implementing XMLHttpRequest more difficult if > the problem is supposed to be addressed at the TLS layer anyway. The problem was addressed at the TLS layer 5 years ago when we issued TLS 1.1. -Ekr
