- From: Matthew Kerwin <matthew@kerwin.net.au>
- Date: Wed, 23 Jul 2014 10:26:35 +1000
- To: Greg Wilkins <gregw@intalio.com>
- Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
- Message-ID: <CACweHNC6Pd_TSw2bBumFDiWDNxcxUHZZnm5=HvV76jGwVzDrYA@mail.gmail.com>
On 23 July 2014 09:14, Greg Wilkins <gregw@intalio.com> wrote: > > Matthew, > > why are the compression contexts frame only? Doesn't that make this > extension very vulnerable to fragmentation, specially if we drop > END_SEGMENT as we have done. > > > > > > Surely there is no harm in having a compression context that is per stream? > > The two main reasons were CRIME/BREACH attacks, and to limit the state commitment, particularly when transport-level compression was part of the main spec. I'm trying to dig up a reference to the conversation that lead to it; here's one cherry I've picked from the archives, which might be a starting point back from which to work: http://lists.w3.org/Archives/Public/ietf-http-wg/2014AprJun/0297.html Three months is such a long time ago, on the internet. :\ Incidentally, END_SEGMENT had potential to enforce useful fragmentation -- i.e. avoiding a CRIME/BREACH attack by separating secret and attacker-controlled data with an end-to-end barrier -- if the END_SEGMENT mechanism was exposed to the origin application. > If there is a desire to have per frame contexts, can't that be done with > different types rather than saying that no type can have a stream context? > > It could be, I'm totally up for discussion on it. If the WG wants to adopt the draft, or just host the discussion on it, I'm cool with that too. Probably not when we're focusing pretty hard on getting consensus and closing out issues in the main spec, though. -- Matthew Kerwin http://matthew.kerwin.net.au/
Received on Wednesday, 23 July 2014 00:27:03 UTC