RE: Header Compression

Hi Ted,

First, the TODO for the security considerations section was put here because I believed the header compression spec would be quickly integrated into the main HTTP/2.0 spec. This will not be the case (it will be referenced from the main spec), therefore, I will do the TODO.

Second, it is a design choice not to have deletion: the mean of removing a header is to replace it with a new one. Another possibility is to use the automatic dropping of headers to remove the headers that were the oldest to be added to the table (see penultimate paragraph of section 3.1 Header Table).

Hervé.
________________________________
From: Ted Hardie [ted.ietf@gmail.com]
Sent: Tuesday, June 11, 2013 18:33
To: RUELLAN Herve
Cc: Martin Thomson; Ryan Hamilton; ietf-http-wg@w3.org
Subject: Re: Header Compression

On Tue, Jun 11, 2013 at 7:05 AM, RUELLAN Herve <Herve.Ruellan@crf.canon.fr<mailto:Herve.Ruellan@crf.canon.fr>> wrote:
I just did it :
http://www.ietf.org/id/draft-ruellan-http-header-compression-00.txt

Hervé.


Hi Herve,

A couple of quick comments.  First, for the TODO in your security considerations section, I think you should probably expand on the text in the overview, which describes the attack on Deflate and unpack why the current scheme is resistant to similar attacks.  Second, the document describes substitution and insertion, but does not describe deletion.   If a party wishes to remove a header (note:  not change to a null value) is this possible and, if so, what's the process?

regards,

Ted Hardie


> -----Original Message-----
> From: Martin Thomson [mailto:martin.thomson@gmail.com<mailto:martin.thomson@gmail.com>]
> Sent: jeudi 6 juin 2013 18:46
> To: RUELLAN Herve
> Cc: Ryan Hamilton; ietf-http-wg@w3.org<mailto:ietf-http-wg@w3.org>
> Subject: Re: Header Compression
>
> On 6 June 2013 04:43, RUELLAN Herve <Herve.Ruellan@crf.canon.fr<mailto:Herve.Ruellan@crf.canon.fr>> wrote:
> > Yes there are now both HTML and txt version available:
> > http://http2.github.io/compression-spec/compression-spec.html
> > http://http2.github.io/compression-spec/compression-spec.txt
>
> Could you please visit https://datatracker.ietf.org/idst/upload.cgi
> and go through the motions for us.  It's a procedural matter that shouldn't
> take more than a couple of minutes.

Received on Monday, 17 June 2013 16:43:33 UTC