W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2015

Re: Stephen Farrell's Discuss on draft-ietf-httpbis-cice-02: (with DISCUSS)

From: Mark Nottingham <mnot@mnot.net>
Date: Thu, 3 Sep 2015 10:52:46 +1000
Cc: The IESG <iesg@ietf.org>, Mark Nottingham <mnot@pobox.com>, ietf-http-wg@w3.org
Message-Id: <9F69E58B-58CA-48BB-AFBE-01E50840512C@mnot.net>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Something like this, perhaps?
  http://httpwg.github.io/specs/rfc7540.html#rfc.section.10.6

Cheers,


> On 3 Sep 2015, at 1:39 am, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
> 
> Stephen Farrell has entered the following ballot position for
> draft-ietf-httpbis-cice-02: Discuss
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-httpbis-cice/
> 
> 
> 
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
> 
> 
> 
> Did anyone think through the potential for this kind of
> change to interact with attacks like BREACH? [1] It
> looks like at least some of the mitigations mentioned on
> [1] would not apply to requests, or possibly not, so I
> suspect there is something to say here. If that analysis
> was not done, I think someone ought look at it. If that
> analysis was done, shouldn't there be some mention here? 
> 
>   [1] http://breachattack.com/
> 
> 
> 
> 

--
Mark Nottingham   https://www.mnot.net/
Received on Thursday, 3 September 2015 00:53:24 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:46 UTC