Re: [Gen-art] Gen-ART and OPS-Dir review of draft-ietf-httpbis-header-compression-10 from Stephen Farrell on 2015-01-23 (ietf-http-wg@w3.org from January to March 2015)

From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Fri, 23 Jan 2015 15:45:18 +0000
To: Jari Arkko <jari.arkko@piuha.net>, Hervé Ruellan <herve.ruellan@crf.canon.fr>
CC: Martin Thomson <martin.thomson@gmail.com>, David Black <david.black@emc.com>, ietf@ietf.org, "General Area Review Team (gen-art@ietf.org)" <gen-art@ietf.org>, "fenix@google.com" <fenix@google.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <54C26C8E.50507@cs.tcd.ie>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 23/01/15 15:35, Jari Arkko wrote:
> 
>> I made a proposal at
>> https://github.com/http2/http2-spec/pull/704
> 
> Looked reasonable to me.

Me too. Quibbling, I'd suggest:

OLD:

 The decision on whether a header field is sensitive or
 not is highly dependent on the context. As a generic
 guidance, header fields used for conveying highly valued
 information, such as the Authorization or Cookie header
 fields, can be considered to be on the more sensitive
 side. In addition, a header field with a short value
 has potentially a smaller entropy and can be more at
 risk.

NEW:

 The decision on whether a header field is ok to
 compress or
 not is highly dependent on the context. As a generic
 guidance, header fields used for conveying highly valued
 information, such as the Authorization or Cookie header
 fields, can be considered to be on the more sensitive
 side. In addition, a header field with a short value
 has potentially a smaller entropy and can be more at
 risk. We know that compressing low-entropy sensitive
 header fields can create vulnerabilities so such
 cases are most likely the ones to not compress today.
 Note though that the criteria to apply here may evolve
 over time as we gain knowledge of new attacks.

Cheers,
S.

> 
> jari
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUwmyOAAoJEC88hzaAX42iJKkIAJtbLdBsQe12+yyg47yupU9x
xbJJ8WZj7vN9Owc9DbzPUczcejjxPUETWwiJ4gzGEnqOTgkH4Ljbt3DnZO1OrdwL
J5sdie+/x85WuimEgz8GLeOvHe3vyKAJzRIGuX4c4PFgxQ2EBQTJwMM9/qBx9Wp4
gLNSMmvd0DT8mfozQokju4H4SsxEgFWIERpDO1Has/3ska0u0qhCrJgIdSSWWn08
yvsjoPDfp+SPEJOa+vWoWqP971QXaGsm5lnhPDLTJ+u06cWpzeQerOEmS3dMYX4A
0gcR73olUgS9gqVQ/HIYDKLxsOX3DXH0QSJhHOgYrE6GNPUX2bz7npN0PP7+x0s=
=Txbn
-----END PGP SIGNATURE-----

Received on Friday, 23 January 2015 15:45:53 UTC