Re: Stephen Farrell's Discuss on draft-ietf-httpbis-cice-02: (with DISCUSS)

On 03/09/15 01:52, Mark Nottingham wrote:
> Something like this, perhaps?
>   http://httpwg.github.io/specs/rfc7540.html#rfc.section.10.6

Yes and no.

No. The URL above is for HTTP/2 and this is a header usable in
HTTP/1.1 so is not the same. Adding this to a system that is
currently safe wrt BREACH is also perhaps not the same as doing
HTTP/2 from scratch and ending up safe wrt BREACH.

But more importantly, yes, I'm asking about the kind of analysis
that lead to the section 10.6 you point at.

S.

> 
> Cheers,
> 
> 
>> On 3 Sep 2015, at 1:39 am, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
>>
>> Stephen Farrell has entered the following ballot position for
>> draft-ietf-httpbis-cice-02: Discuss
>>
>> When responding, please keep the subject line intact and reply to all
>> email addresses included in the To and CC lines. (Feel free to cut this
>> introductory paragraph, however.)
>>
>>
>> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
>> for more information about IESG DISCUSS and COMMENT positions.
>>
>>
>> The document, along with other ballot positions, can be found here:
>> https://datatracker.ietf.org/doc/draft-ietf-httpbis-cice/
>>
>>
>>
>> ----------------------------------------------------------------------
>> DISCUSS:
>> ----------------------------------------------------------------------
>>
>>
>>
>> Did anyone think through the potential for this kind of
>> change to interact with attacks like BREACH? [1] It
>> looks like at least some of the mitigations mentioned on
>> [1] would not apply to requests, or possibly not, so I
>> suspect there is something to say here. If that analysis
>> was not done, I think someone ought look at it. If that
>> analysis was done, shouldn't there be some mention here? 
>>
>>   [1] http://breachattack.com/
>>
>>
>>
>>
> 
> --
> Mark Nottingham   https://www.mnot.net/
>

Received on Thursday, 3 September 2015 01:01:39 UTC