Shared Dictionaries (SDCH and friends)
chaals@yandex-team.ru Fri, 20 January 2017 03:53 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF3521297C3 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 19 Jan 2017 19:53:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.2
X-Spam-Level:
X-Spam-Status: No, score=-10.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-3.199, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=yandex-team.ru
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XX1XwrqGOlnp for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 19 Jan 2017 19:53:07 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4AE4F1297AA for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 19 Jan 2017 19:53:07 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1cUQCp-0005cm-V8 for ietf-http-wg-dist@listhub.w3.org; Fri, 20 Jan 2017 03:49:39 +0000
Resent-Date: Fri, 20 Jan 2017 03:49:39 +0000
Resent-Message-Id: <E1cUQCp-0005cm-V8@frink.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by frink.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <chaals@yandex-team.ru>) id 1cUQCj-0005c1-TI for ietf-http-wg@listhub.w3.org; Fri, 20 Jan 2017 03:49:33 +0000
Received: from forwardcorp1h.cmail.yandex.net ([87.250.230.216]) by titan.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <chaals@yandex-team.ru>) id 1cUQCd-0007Lt-88 for ietf-http-wg@w3.org; Fri, 20 Jan 2017 03:49:28 +0000
Received: from mxbackcorp1j.mail.yandex.net (mxbackcorp1j.mail.yandex.net [IPv6:2a02:6b8:0:1619::162]) by forwardcorp1h.cmail.yandex.net (Yandex) with ESMTP id 5889120CB2; Fri, 20 Jan 2017 06:48:58 +0300 (MSK)
Received: from webcorp02d.yandex-team.ru (webcorp02d.yandex-team.ru [5.255.216.159]) by mxbackcorp1j.mail.yandex.net (nwsmtp/Yandex) with ESMTP id e19qTpPM8e-mvBmxfpb; Fri, 20 Jan 2017 06:48:58 +0300
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex-team.ru; s=default; t=1484884138; bh=MxeuKlIlOz1MG7Wk0gc1WCI6yXyyodczPJdmXqq3WaQ=; h=From:To:Subject:Message-Id:Date; b=QTMH6TOg7YXk6gEEg7D+KrnZmAEfhFCi+JIPhtl04+3iW3zKM2QPmNlVa2QmK3g5B wdQBwc9nOuDvnqZ0HR1F7GMY/AZHZH9GmBgcXnC6TRdS4ElfMz5ZBYltBd1RIBbdsy oRQnsq1UF4gdAd89LgxXVxCdJKsIhvkUvxVbNk9A=
Authentication-Results: mxbackcorp1j.mail.yandex.net; dkim=pass header.i=@yandex-team.ru
X-Yandex-Sender-Uid: 1120000000011116
Received: by webcorp02d.yandex-team.ru with HTTP; Fri, 20 Jan 2017 06:48:57 +0300
From: chaals@yandex-team.ru
To: ietf-http-wg@w3.org
MIME-Version: 1.0
Message-Id: <6671484884137@webcorp02d.yandex-team.ru>
X-Mailer: Yamail [ http://yandex.ru ] 5.0
Date: Fri, 20 Jan 2017 04:48:57 +0100
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="utf-8"
Received-SPF: pass client-ip=87.250.230.216; envelope-from=chaals@yandex-team.ru; helo=forwardcorp1h.cmail.yandex.net
X-W3C-Hub-Spam-Status: No, score=-7.1
X-W3C-Hub-Spam-Report: AWL=1.904, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1cUQCd-0007Lt-88 f01c598536bc72b246aa1337c27013c4
X-Original-To: ietf-http-wg@w3.org
Subject: Shared Dictionaries (SDCH and friends)
Archived-At: <http://www.w3.org/mid/6671484884137@webcorp02d.yandex-team.ru>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/33340
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hi, re-(re-)starting discussion… Yandex sees real value from shared dictionary compression, and others have also reported this is the case. Although there are a couple of proposals, we're not very happy with either, so we're planning to make a third one, based partially on our implementation experience and partially on work we are prototyping now. We've heard there are security concerns. One concern seems to be that bundling "secrets" with known content such as a style sheet helps attackers decrypt the secrets. Although valuable secret content in a shared dictionary seems like a bad idea anyway, our proposal includes the ability to use multiple dictionaries, and has separating metadata from the "blob payload" as a goal. It seems to me (although I'm not the sharpest knife in the security drawer) this should provide a simple approach to mitigating this issue. Additionally, since this is a new powerful feature, there is no reason not to restrict it to secure connections. I'm not at all sure that I understand all the security concerns that people have raised, let alone have a solution ready, so I'd be grateful for any pointers (or kicks) in the right direction. We also expect to provide more solid information on what sort of improvements we see in what sort of situations based on actual deployment. We'd be grateful if others with relevant experience could do likewise, to help justify asking people to spend the time to review. cheers Chaals -- Charles McCathie Nevile - standards - Yandex chaals@yandex-team.ru - - - Find more at http://yandex.com
- Shared Dictionaries (SDCH and friends) chaals
- Re: Shared Dictionaries (SDCH and friends) Martin Thomson