Re: Benoit Claise's Discuss on draft-ietf-httpbis-header-compression-10: (with DISCUSS)


I just said this on the iesg telechat, but was asked to respond in
this thread too...

I think this one is fine as-is. I don't see that it'd make sense to have
a list of header fields in the RFC or in a registry. Reason being that
the set to not compress can change as we see new attacks and maybe also
depending on the underlying ciphersuites.


On 22/01/15 16:44, Roberto Peon wrote:
> For my part, if it isn't clear what to do with these (set the never-index
> bit when making a request where the entity causing the request is a 3rd
> party as a stronger defense against CRIME-like attacks), then it really
> should be better documented.
> I'd be happy to see this recommendation added to either the HTTP2 or HPACK
> document and/or discussed more.
> -=R
> On Thu, Jan 22, 2015 at 7:42 AM, Barry Leiba <>
> wrote:
>>> David Black, part of the combined OPS/GEN-ART review
>>> (
>>> mentions:
>>> The second major issue looks serious - one of the major motivations
>>> for HPACK is to mitigate attacks on DEFLATE (e.g., CRIME) via use of
>>> never
>>> indexed fields wrt compression.  The absence of a list of header fields
>>> that MUST use that never indexed functionality appears to be a serious
>>> oversight.
>>> Could I ask one of you to place a Discuss to ensure that these concerns
>>> are addressed?
>>> ====================
>>> I haven't had the time to read the draft (shocking I know). So I'm
>>> unclear at this point if the feedback is DISCUSS/COMMENT-worthy, but ...
>>> I've got a very high respect for David's technical reviews. In many years
>>> of review, it's the first time he directly asked me to file a DISCUSS. So
>>> I want to go to the bottom of this issue. If this approach is clumsy
>>> (yes, I know, the DISCUSS should be in my name, not on behalf of David),
>>> I could also "DEFER" this draft.
>>> I also see that the authors/David engaged in the discussion on the
>>> list. Good.
>> For what it's worth, BenoƮt, I'm perfectly happy with your DISCUSS for
>> this, even though it's kind of on the edge of the defined process.
>> Making sure the comment is address adequately is important, and we're
>> doing the right thing.
>> There was, in fact, discussion about this, and David did not agree
>> with Martin's response.  I'll note that both Stephen and Kathleen
>> balloted Yes on this document, without mentioning the issue.  On the
>> other hand, as it wasn't copied to the IESG list, they might not have
>> seen it raised.  Let's talk about it with them on the call.
>> Barry

Received on Thursday, 22 January 2015 17:09:47 UTC