Secdir last call review of draft-ietf-httpbis-compression-dictionary-09
Nancy Cam-Winget via Datatracker <noreply@ietf.org> Wed, 07 August 2024 23:04 UTC
Received: by ietfa.amsl.com (Postfix) id 1D1FFC1930D8; Wed, 7 Aug 2024 16:04:40 -0700 (PDT)
Delivered-To: ietfarch-httpbisa-archive-bis2juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C8FBC18DBBF for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 7 Aug 2024 16:04:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.76
X-Spam-Level:
X-Spam-Status: No, score=-2.76 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=w3.org header.b="cdIFuLrd"; dkim=pass (2048-bit key) header.d=w3.org header.b="Lyc7dO12"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A55FNbQoBEeO for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 7 Aug 2024 16:04:39 -0700 (PDT)
Received: from mab.w3.org (mab.w3.org [IPv6:2600:1f18:7d7a:2700:d091:4b25:8566:8113]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8B61C1930B0 for <httpbisa-archive-bis2Juki@ietf.org>; Wed, 7 Aug 2024 16:04:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Subject:Date:Reply-To:Message-ID:Cc:To:From:Content-Type:MIME-Version :In-Reply-To:References; bh=gZeKaCrU3GEo/3A/9MziKRMZ2akyppA1xVi/bUuKJl8=; b=c dIFuLrdJbiKdRWn3SiBT9aifLqhOTLxqv5oXzo6GMljViCEeCxbL2daTPn/KmDqD1vRz9oZTnkJZ7 Z05ZzJX+DD8k1E65h+4Q7KSB+nY1unVd+lDnXjg5riCYd9H+3Te0ioBhQdILGWACsNwrS8Vb7Ailr agkBDJXFdTYp8GqRtrsJd4zMfIA+JbLLmHOUWYnKg3At8lAU+f573v896pgqoGOCcv6ZBcL/X/qSc b8R9+5cBav4wo+mWr7lOI3PflMdci4pJ1ajJfpwyVbmptKSdkNTTCwnPj+1BEhDz8EQ04El5w9YHK NkTyvBQmY5zZ53tcPHPcwKd6FmHlgKfhg==;
Received: from lists by mab.w3.org with local (Exim 4.96) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1sbpgv-007czX-0I for ietf-http-wg-dist@listhub.w3.org; Wed, 07 Aug 2024 23:03:37 +0000
Resent-Date: Wed, 07 Aug 2024 23:03:37 +0000
Resent-Message-Id: <E1sbpgv-007czX-0I@mab.w3.org>
Received: from ip-10-0-0-144.ec2.internal ([10.0.0.144] helo=pan.w3.org) by mab.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <noreply@ietf.org>) id 1sbpgt-007cyX-1Z for ietf-http-wg@listhub.w3.internal; Wed, 07 Aug 2024 23:03:35 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Date:Reply-To:Message-ID:Subject:Cc:To:From:Content-Type:MIME-Version :In-Reply-To:References; bh=gZeKaCrU3GEo/3A/9MziKRMZ2akyppA1xVi/bUuKJl8=; t=1723071815; x=1723935815; b=Lyc7dO12MpTYk7yMcW8546185Bog/r3puWRgGJ+e60bmKey wQSVLQOtOIVrZ8hYs7Mopn2/VJThRRN0nq7mgjvPjAbl5jFS2FC42rgRZcKgZb6PX15XfAy8ohO4o NjfDccxZQA1wVMFq6xnfxjkBw66Yfl8KFAUm76rJAFYSVO7JJKCiCTmCHctZ3X8WEfKjBGT008ooo bA7kZ+asQZX2WsNJs1o+LAZNVYx3EoJBewFif0RwEDHiQ+dcnpoCVR3kmJpW37VlLDSK6d72Wk4n4 NlLVRXn+6dhxvy/2+r4HbqOnzvIDEnR0ziujdHwrOmGMQGr6KyP3TWJqFw9YbJcA==;
Received-SPF: pass (pan.w3.org: domain of ietf.org designates 50.223.129.194 as permitted sender) client-ip=50.223.129.194; envelope-from=noreply@ietf.org; helo=mail.ietf.org;
Received: from mail.ietf.org ([50.223.129.194]) by pan.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <noreply@ietf.org>) id 1sbpgs-000Rws-2o for ietf-http-wg@w3.org; Wed, 07 Aug 2024 23:03:35 +0000
Received: from [10.244.2.52] (unknown [104.131.183.230]) by ietfa.amsl.com (Postfix) with ESMTP id D4579C14F682; Wed, 7 Aug 2024 16:03:30 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Nancy Cam-Winget via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
Cc: draft-ietf-httpbis-compression-dictionary.all@ietf.org, ietf-http-wg@w3.org, last-call@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 12.22.0
Auto-Submitted: auto-generated
Message-ID: <172307181050.195.15472875602261483639@dt-datatracker-6df4c9dcf5-t2x2k>
Reply-To: Nancy Cam-Winget <ncamwing@cisco.com>
Date: Wed, 07 Aug 2024 16:03:30 -0700
X-W3C-Hub-Spam-Status: No, score=-3.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DMARC_PASS=-0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: pan.w3.org 1sbpgs-000Rws-2o 4aec73e189b1a31a8aadf18fd36f1042
X-Original-To: ietf-http-wg@w3.org
Subject: Secdir last call review of draft-ietf-httpbis-compression-dictionary-09
Archived-At: <https://www.w3.org/mid/172307181050.195.15472875602261483639@dt-datatracker-6df4c9dcf5-t2x2k>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/52193
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/email/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Reviewer: Nancy Cam-Winget Review result: Ready SECDIR review of draft-ietf-httpbis-compression-dictionary-09 Reviewer: Nancy Cam-Winget I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document defines HTTP headers that can be used for negotiating for enabling compression by using dictionaries. The negotiation defines an external dictionary that provides the mapping or patterns to decode when compression is enabled. The document leverages the use of Brotli (RFC7932) and Standard (RFC8878) as the compression schemes. The document reads well and I have found no issues but have One minor question: Section 2.2 * Is the intent of providing the hash of the "Available-Dictionary" meant to be for protection or for compression? Section 9.1 * To my point in Section 2.2, we presume that all headers are encrypted and protected, so I think it would depend on what protection is being achieved. That is, I think it should be stated that if the header protection is found to be weak, this can be made vulnerable too (I think this is somewhat covered in 9.2 maybe?)
- Secdir last call review of draft-ietf-httpbis-com… Nancy Cam-Winget via Datatracker
- Re: Secdir last call review of draft-ietf-httpbis… Patrick Meenan
- Re: Secdir last call review of draft-ietf-httpbis… Patrick Meenan