Re: [Gen-art] Gen-ART and OPS-Dir review of draft-ietf-httpbis-header-compression-10

Hervé Ruellan <> Thu, 22 January 2015 17:55 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 3043F1ACE87; Thu, 22 Jan 2015 09:55:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.26
X-Spam-Status: No, score=-1.26 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_FR=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_NONE=-0.0001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zX1xQl_c7CN1; Thu, 22 Jan 2015 09:55:43 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DA3011ACE8A; Thu, 22 Jan 2015 09:55:39 -0800 (PST)
Received: from ( []) by (8.13.8/8.13.8) with ESMTP id t0MHtZki025355; Thu, 22 Jan 2015 18:55:35 +0100
Received: from ( []) by (8.13.8/8.13.8) with ESMTP id t0MHtZQl005874; Thu, 22 Jan 2015 18:55:35 +0100
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.995.29; Thu, 22 Jan 2015 18:55:34 +0100
Message-ID: <>
Date: Thu, 22 Jan 2015 18:55:34 +0100
From: =?windows-1252?Q?Herv=E9_Ruellan?= <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Jari Arkko <>, "Black, David" <>, Martin Thomson <>
References: <>, <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="windows-1252"; format=flowed
Content-Transfer-Encoding: 8bit
X-Originating-IP: []
X-ClientProxiedBy: ( To (
Archived-At: <>
Cc: "" <>, "General Area Review Team \(\)" <>, "" <>, "" <>
Subject: Re: [Gen-art] Gen-ART and OPS-Dir review of draft-ietf-httpbis-header-compression-10
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 22 Jan 2015 17:55:44 -0000


On 01/22/2015 01:22 PM, Jari Arkko wrote:
>> Designing a mechanism to resist an attack but failing to provide guidance
>> (either here or in the main HTTP v2 draft) on how to use it to resist that
>> attack does not solve the actual problem, no matter how clever the
>> mechanism.
>> I hope the Security ADs notice this discussion, because the current
>> situation looks like a security flaw from here (likely to result
>> in insecure implementations, even though the implementations contain
>> the mechanism needed to fix the security problem).
>> If a list of specific fields is not reasonable, some specific guidance on
>> where and why this mechanism needs to be applied is in order, as (IMHO)
>> it is unreasonable to expect the entire global implementer community
>> to have a detailed working command of the CRIME attack and its HPACK
>> implications wrt specific pieces of information exchanged in the HTTP v2
>> protocol.
> I am sympathetic to David’s point here, although it is not necessarily clear
> to me that such information needs to be a part of this specific draft; it could
> be defined elsewhere as well.
> For what it is worth, I’m doing a review of this document along with Gen-ART
> review comments, and I think where I have ended up is that the above issue
> is a Comment from my perspective (and not a blocking Discuss).
> But I’d like to hear some feedback on this point though, or has that
> discussion already happened in the WG in the past? Also, for my
> education, are the standardised header fields that would clearly end
> up on the list, if it existed, or is this only for other
> or future header fields?

To complement my previous response to David, I think that there are no 
existing header fields that would clearly end up on the list. Some of 
them are good candidates for using the "never indexed literals" 
mechanism, but it mostly depends on how they are used. As Martin 
reported from Firefox implementation, a short cookie should probably be 
protected by this mechanism. But it's a rule of thumb: this cookie could 
convey some uninteresting data or your badly encrypted bank password.


> Jari