Re: h2#416: Limit stream count from Roberto Peon on 2014-02-26 (ietf-http-wg@w3.org from January to March 2014)

From: Roberto Peon <grmocg@gmail.com>
Date: Tue, 25 Feb 2014 16:44:29 -0800
To: Martin Thomson <martin.thomson@gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAP+FsNfuZ0B4XK7=Z98vOhVu_yTaifm_t+E5ewtwy-jynU13Zw@mail.gmail.com>

It implies that a security-conscious entity will want to keep the limit at
some moderately large, but finite value, e.g. 1000.

-=R


On Tue, Feb 25, 2014 at 4:37 PM, Martin Thomson <martin.thomson@gmail.com>wrote:

> https://github.com/http2/http2-spec/issues/416
>
> Roberto, as the former strongest advocate for the current unlimited
> initial value, does this extend to a limit on the stream count?  Or is
> it just a recommendation that we make in security considerations?
>
> Either way, I think that it's an easy thing to do.
>
> It reduces the number of guesses that can be made against HPACK.  I'm
> not sure if it goes far enough to address #373.  Absent some
> revelation, I'm of the mind that any shared context (browsers,
> proxies) will have to restrict how items in the header table can be
> accessed if we intend to keep HPACK.
>
>

Received on Wednesday, 26 February 2014 00:44:56 UTC