- From: <chaals@yandex-team.ru>
- Date: Fri, 20 Jan 2017 04:48:57 +0100
- To: ietf-http-wg@w3.org
Hi, re-(re-)starting discussion… Yandex sees real value from shared dictionary compression, and others have also reported this is the case. Although there are a couple of proposals, we're not very happy with either, so we're planning to make a third one, based partially on our implementation experience and partially on work we are prototyping now. We've heard there are security concerns. One concern seems to be that bundling "secrets" with known content such as a style sheet helps attackers decrypt the secrets. Although valuable secret content in a shared dictionary seems like a bad idea anyway, our proposal includes the ability to use multiple dictionaries, and has separating metadata from the "blob payload" as a goal. It seems to me (although I'm not the sharpest knife in the security drawer) this should provide a simple approach to mitigating this issue. Additionally, since this is a new powerful feature, there is no reason not to restrict it to secure connections. I'm not at all sure that I understand all the security concerns that people have raised, let alone have a solution ready, so I'd be grateful for any pointers (or kicks) in the right direction. We also expect to provide more solid information on what sort of improvements we see in what sort of situations based on actual deployment. We'd be grateful if others with relevant experience could do likewise, to help justify asking people to spend the time to review. cheers Chaals -- Charles McCathie Nevile - standards - Yandex chaals@yandex-team.ru - - - Find more at http://yandex.com
Received on Friday, 20 January 2017 03:49:33 UTC