Re: New Version Notification for draft-kerwin-http2-encoded-data-01.txt

On 23 July 2014 09:14, Greg Wilkins <> wrote:

> Matthew,
> why are the compression contexts frame only?    Doesn't that make this
> extension very vulnerable to fragmentation, specially if we drop
> END_SEGMENT as we have done.
> ​
> ​
> ​
> ​
> Surely there is no harm in having a compression context that is per stream?
The two main reasons were CRIME/BREACH attacks, and to limit the state
commitment, particularly when transport-level compression was part of the
main spec. I'm trying to dig up a reference to the conversation that lead
to it; here's one cherry I've picked from the archives, which might be a
starting point back from which to work: Three
months is such a long time ago, on the internet. :\

Incidentally, END_SEGMENT had potential to enforce useful fragmentation --
i.e. avoiding a CRIME/BREACH attack by separating secret and
attacker-controlled data with an end-to-end barrier -- if the END_SEGMENT
mechanism was exposed to the origin application.

> If there is a desire to have per frame contexts, can't that be done with
> different types rather than saying that no type can have a stream context?
​It could be, I'm totally up for discussion on it. If the WG wants to adopt
the draft, or just host the discussion on it, I'm cool with that too.
Probably not when we're focusing pretty hard on getting consensus and
closing out issues in the main spec, though.

  Matthew Kerwin

Received on Wednesday, 23 July 2014 00:27:03 UTC