- From: Nancy Cam-Winget via Datatracker <noreply@ietf.org>
- Date: Wed, 07 Aug 2024 16:03:30 -0700
- To: <secdir@ietf.org>
- Cc: draft-ietf-httpbis-compression-dictionary.all@ietf.org, ietf-http-wg@w3.org, last-call@ietf.org
Reviewer: Nancy Cam-Winget Review result: Ready SECDIR review of draft-ietf-httpbis-compression-dictionary-09 Reviewer: Nancy Cam-Winget I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document defines HTTP headers that can be used for negotiating for enabling compression by using dictionaries. The negotiation defines an external dictionary that provides the mapping or patterns to decode when compression is enabled. The document leverages the use of Brotli (RFC7932) and Standard (RFC8878) as the compression schemes. The document reads well and I have found no issues but have One minor question: Section 2.2 * Is the intent of providing the hash of the "Available-Dictionary" meant to be for protection or for compression? Section 9.1 * To my point in Section 2.2, we presume that all headers are encrypted and protected, so I think it would depend on what protection is being achieved. That is, I think it should be stated that if the header protection is found to be weak, this can be made vulnerable too (I think this is somewhat covered in 9.2 maybe?)
Received on Wednesday, 7 August 2024 23:03:35 UTC