Re: [Gen-art] Gen-ART and OPS-Dir review of draft-ietf-httpbis-header-compression-10

Stephen Farrell <stephen.farrell@cs.tcd.ie> Fri, 23 January 2015 15:45 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1169D1A9164; Fri, 23 Jan 2015 07:45:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.61
X-Spam-Level:
X-Spam-Status: No, score=-1.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_NONE=-0.0001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CTPtCbvcOVmM; Fri, 23 Jan 2015 07:45:20 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC5151A9140; Fri, 23 Jan 2015 07:45:19 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id AD4C3BEA4; Fri, 23 Jan 2015 15:45:18 +0000 (GMT)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id et7V1lmT_fNK; Fri, 23 Jan 2015 15:45:18 +0000 (GMT)
Received: from [134.226.36.180] (stephen-think.dsg.cs.tcd.ie [134.226.36.180]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 8093BBEA0; Fri, 23 Jan 2015 15:45:18 +0000 (GMT)
Message-ID: <54C26C8E.50507@cs.tcd.ie>
Date: Fri, 23 Jan 2015 15:45:18 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Jari Arkko <jari.arkko@piuha.net>, =?UTF-8?B?SGVydsOpIFJ1ZWxsYW4=?= <herve.ruellan@crf.canon.fr>
References: <CE03DB3D7B45C245BCA0D243277949362DE459@MX104CL02.corp.emc.com> <CABkgnnUwNQUcFg5w5HFpSQrAUxtbqG_UN-_WDGop1eqqoCS+Aw@mail.gmail.com> <1421779730757.42642@crf.canon.fr> <CE03DB3D7B45C245BCA0D243277949362E9050@MX104CL02.corp.emc.com> <B42673AB-2819-42F5-BC63-6418449FC030@piuha.net> <54C13996.2030906@crf.canon.fr> <0A78F531-9E8E-4ED1-BD8F-AAE70684DB24@piuha.net> <CABkgnnVBCK-yy9WitKCVqitcXssOHgBc2c+3UeRO09mAHa3A8Q@mail.gmail.com> <54C23CC5.7050901@cs.tcd.ie> <54C267DE.5040202@crf.canon.fr> <ABFED3B4-D37D-4498-9280-3C071EB00892@piuha.net>
In-Reply-To: <ABFED3B4-D37D-4498-9280-3C071EB00892@piuha.net>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/gen-art/-pZUcs6eDXxyIsfd7lQl0jzdVnI>
Cc: ietf@ietf.org, "General Area Review Team \(gen-art@ietf.org\)" <gen-art@ietf.org>, "fenix@google.com" <fenix@google.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Subject: Re: [Gen-art] Gen-ART and OPS-Dir review of draft-ietf-httpbis-header-compression-10
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Jan 2015 15:45:22 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On 23/01/15 15:35, Jari Arkko wrote:
> 
>> I made a proposal at
>> https://github.com/http2/http2-spec/pull/704
> 
> Looked reasonable to me.

Me too. Quibbling, I'd suggest:

OLD:

 The decision on whether a header field is sensitive or
 not is highly dependent on the context. As a generic
 guidance, header fields used for conveying highly valued
 information, such as the Authorization or Cookie header
 fields, can be considered to be on the more sensitive
 side. In addition, a header field with a short value
 has potentially a smaller entropy and can be more at
 risk.

NEW:

 The decision on whether a header field is ok to
 compress or
 not is highly dependent on the context. As a generic
 guidance, header fields used for conveying highly valued
 information, such as the Authorization or Cookie header
 fields, can be considered to be on the more sensitive
 side. In addition, a header field with a short value
 has potentially a smaller entropy and can be more at
 risk. We know that compressing low-entropy sensitive
 header fields can create vulnerabilities so such
 cases are most likely the ones to not compress today.
 Note though that the criteria to apply here may evolve
 over time as we gain knowledge of new attacks.

Cheers,
S.




> 
> jari
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUwmyOAAoJEC88hzaAX42iJKkIAJtbLdBsQe12+yyg47yupU9x
xbJJ8WZj7vN9Owc9DbzPUczcejjxPUETWwiJ4gzGEnqOTgkH4Ljbt3DnZO1OrdwL
J5sdie+/x85WuimEgz8GLeOvHe3vyKAJzRIGuX4c4PFgxQ2EBQTJwMM9/qBx9Wp4
gLNSMmvd0DT8mfozQokju4H4SsxEgFWIERpDO1Has/3ska0u0qhCrJgIdSSWWn08
yvsjoPDfp+SPEJOa+vWoWqP971QXaGsm5lnhPDLTJ+u06cWpzeQerOEmS3dMYX4A
0gcR73olUgS9gqVQ/HIYDKLxsOX3DXH0QSJhHOgYrE6GNPUX2bz7npN0PP7+x0s=
=Txbn
-----END PGP SIGNATURE-----