- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Fri, 14 Mar 2014 11:41:56 -0700
- To: Ted Johnson <johnsontedm@gmail.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On 14 March 2014 01:14, Ted Johnson <johnsontedm@gmail.com> wrote: > The following statement is indirect and it 'may' clear what "every time" > means: "Thus, even though gzip compression of response bodies is permitted > for every response, it cannot be used every time.". For example, how about, > "Accordingly, do not use gzip compression of the response body in this > scenario". The text I have currently says: Thus, even though gzip compression of response bodies is permitted, it cannot be used for all responses. > I would also add that MUST NOT should really be testable for > compliance/conformance purposes. This is, of course, highly contextual. However, it is testable in specific cases, even where it is not generically. I can't tell you what bits in your documents are secret or might be controlled by others, but I'd hope that you can. (If you aren't sure, I'd be recommending that you avoid compression entirely.) I'm not sure that a weaker recommendation would be better. > Less important thought, the client system can in many situations be > responsible for the security of the information as well. Think about > utility services that may not understand the sensitivity of the information > they hold or what constitutes an attacker. The client/requestor might > actually hold the meta-data to know if a resource is confidential. That's an interesting scenario, but I think that the best way of handling this is to disable compression. If there is any uncertainty about whether data potentially contains a mix of secrets and attacker-controlled data, don't compress.
Received on Friday, 14 March 2014 18:42:23 UTC