Shared Dictionaries (SDCH and friends) Fri, 20 January 2017 03:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CF3521297C3 for <>; Thu, 19 Jan 2017 19:53:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.2
X-Spam-Status: No, score=-10.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-3.199, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id XX1XwrqGOlnp for <>; Thu, 19 Jan 2017 19:53:07 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4AE4F1297AA for <>; Thu, 19 Jan 2017 19:53:07 -0800 (PST)
Received: from lists by with local (Exim 4.80) (envelope-from <>) id 1cUQCp-0005cm-V8 for; Fri, 20 Jan 2017 03:49:39 +0000
Resent-Date: Fri, 20 Jan 2017 03:49:39 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <>) id 1cUQCj-0005c1-TI for; Fri, 20 Jan 2017 03:49:33 +0000
Received: from ([]) by with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <>) id 1cUQCd-0007Lt-88 for; Fri, 20 Jan 2017 03:49:28 +0000
Received: from ( [IPv6:2a02:6b8:0:1619::162]) by (Yandex) with ESMTP id 5889120CB2; Fri, 20 Jan 2017 06:48:58 +0300 (MSK)
Received: from ( []) by (nwsmtp/Yandex) with ESMTP id e19qTpPM8e-mvBmxfpb; Fri, 20 Jan 2017 06:48:58 +0300
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=default; t=1484884138; bh=MxeuKlIlOz1MG7Wk0gc1WCI6yXyyodczPJdmXqq3WaQ=; h=From:To:Subject:Message-Id:Date; b=QTMH6TOg7YXk6gEEg7D+KrnZmAEfhFCi+JIPhtl04+3iW3zKM2QPmNlVa2QmK3g5B wdQBwc9nOuDvnqZ0HR1F7GMY/AZHZH9GmBgcXnC6TRdS4ElfMz5ZBYltBd1RIBbdsy oRQnsq1UF4gdAd89LgxXVxCdJKsIhvkUvxVbNk9A=
Authentication-Results:; dkim=pass
X-Yandex-Sender-Uid: 1120000000011116
Received: by with HTTP; Fri, 20 Jan 2017 06:48:57 +0300
MIME-Version: 1.0
Message-Id: <>
X-Mailer: Yamail [ ] 5.0
Date: Fri, 20 Jan 2017 04:48:57 +0100
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="utf-8"
Received-SPF: pass client-ip=;;
X-W3C-Hub-Spam-Status: No, score=-7.1
X-W3C-Hub-Spam-Report: AWL=1.904, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: 1cUQCd-0007Lt-88 f01c598536bc72b246aa1337c27013c4
Subject: Shared Dictionaries (SDCH and friends)
Archived-At: <>
X-Mailing-List: <> archive/latest/33340
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>


re-(re-)starting discussion…

Yandex sees real value from shared dictionary compression, and others have also reported this is the case.

Although there are a couple of proposals, we're not very happy with either, so we're planning to make a third one, based partially on our implementation experience and partially on work we are prototyping now.

We've heard there are security concerns. One concern seems to be that bundling "secrets" with known content such as a style sheet helps attackers decrypt the secrets. Although valuable secret content in a shared dictionary seems like a bad idea anyway, our proposal includes the ability to use multiple dictionaries, and has separating metadata from the "blob payload" as a goal. It seems to me (although I'm not the sharpest knife in the security drawer) this should provide a simple approach to mitigating this issue. Additionally, since this is a new powerful feature, there is no reason not to restrict it to secure connections. 

I'm not at all sure that I understand all the security concerns that people have raised, let alone have a solution ready, so I'd be grateful for any pointers (or kicks) in the right direction. 

We also expect to provide more solid information on what sort of improvements we see in what sort of situations based on actual deployment. We'd be grateful if others with relevant experience could do likewise, to help justify asking people to spend the time to review.



Charles McCathie Nevile - standards - Yandex - - - Find more at