- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Thu, 24 Apr 2014 07:57:01 -0700
- To: K.Morgan@iaea.org
- Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>, Matthew Kerwin <matthew@kerwin.net.au>
On 24 April 2014 02:26, <K.Morgan@iaea.org> wrote: > however the uncompressed data from separate frames MUST NOT be merged. > Merging uncompressed data from separate frames creates a shared compression > context that could allow an attacker to recover secret data if merging > combines confidential and attacker-controlled data. My first impression was that you have too much text there, but this point is valuable. I had to ship -12, but I'll add this to the editor's copy in preparation for -13. Note that this is only an issue if the merged data is subsequently compressed. I think that the text could more succinctly say: [...] frames that are separately compressed cannot be merged into a single compressed frame. Either could result in the compression of secret and attacker-controlled data within the same compression context. Compressed frames MAY be decompressed, in whole or part. I'm less certain about making the downstream intermediary point so explicit. There's a balance to be struck. There are plenty of other places where our prohibitions are less-well explained than this already is. This is a fractal landscape, and we try to avoid exhaustively exploring all the minute details in the interests of readability and accessibility.
Received on Thursday, 24 April 2014 14:57:30 UTC