Secdir last call review of draft-ietf-httpbis-compression-dictionary-09

Nancy Cam-Winget via Datatracker <noreply@ietf.org> Wed, 07 August 2024 23:04 UTC

Received: by ietfa.amsl.com (Postfix) id 1D1FFC1930D8; Wed, 7 Aug 2024 16:04:40 -0700 (PDT)
Delivered-To: ietfarch-httpbisa-archive-bis2juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C8FBC18DBBF for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 7 Aug 2024 16:04:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.76
X-Spam-Level:
X-Spam-Status: No, score=-2.76 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=w3.org header.b="cdIFuLrd"; dkim=pass (2048-bit key) header.d=w3.org header.b="Lyc7dO12"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A55FNbQoBEeO for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 7 Aug 2024 16:04:39 -0700 (PDT)
Received: from mab.w3.org (mab.w3.org [IPv6:2600:1f18:7d7a:2700:d091:4b25:8566:8113]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8B61C1930B0 for <httpbisa-archive-bis2Juki@ietf.org>; Wed, 7 Aug 2024 16:04:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Subject:Date:Reply-To:Message-ID:Cc:To:From:Content-Type:MIME-Version :In-Reply-To:References; bh=gZeKaCrU3GEo/3A/9MziKRMZ2akyppA1xVi/bUuKJl8=; b=c dIFuLrdJbiKdRWn3SiBT9aifLqhOTLxqv5oXzo6GMljViCEeCxbL2daTPn/KmDqD1vRz9oZTnkJZ7 Z05ZzJX+DD8k1E65h+4Q7KSB+nY1unVd+lDnXjg5riCYd9H+3Te0ioBhQdILGWACsNwrS8Vb7Ailr agkBDJXFdTYp8GqRtrsJd4zMfIA+JbLLmHOUWYnKg3At8lAU+f573v896pgqoGOCcv6ZBcL/X/qSc b8R9+5cBav4wo+mWr7lOI3PflMdci4pJ1ajJfpwyVbmptKSdkNTTCwnPj+1BEhDz8EQ04El5w9YHK NkTyvBQmY5zZ53tcPHPcwKd6FmHlgKfhg==;
Received: from lists by mab.w3.org with local (Exim 4.96) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1sbpgv-007czX-0I for ietf-http-wg-dist@listhub.w3.org; Wed, 07 Aug 2024 23:03:37 +0000
Resent-Date: Wed, 07 Aug 2024 23:03:37 +0000
Resent-Message-Id: <E1sbpgv-007czX-0I@mab.w3.org>
Received: from ip-10-0-0-144.ec2.internal ([10.0.0.144] helo=pan.w3.org) by mab.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <noreply@ietf.org>) id 1sbpgt-007cyX-1Z for ietf-http-wg@listhub.w3.internal; Wed, 07 Aug 2024 23:03:35 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Date:Reply-To:Message-ID:Subject:Cc:To:From:Content-Type:MIME-Version :In-Reply-To:References; bh=gZeKaCrU3GEo/3A/9MziKRMZ2akyppA1xVi/bUuKJl8=; t=1723071815; x=1723935815; b=Lyc7dO12MpTYk7yMcW8546185Bog/r3puWRgGJ+e60bmKey wQSVLQOtOIVrZ8hYs7Mopn2/VJThRRN0nq7mgjvPjAbl5jFS2FC42rgRZcKgZb6PX15XfAy8ohO4o NjfDccxZQA1wVMFq6xnfxjkBw66Yfl8KFAUm76rJAFYSVO7JJKCiCTmCHctZ3X8WEfKjBGT008ooo bA7kZ+asQZX2WsNJs1o+LAZNVYx3EoJBewFif0RwEDHiQ+dcnpoCVR3kmJpW37VlLDSK6d72Wk4n4 NlLVRXn+6dhxvy/2+r4HbqOnzvIDEnR0ziujdHwrOmGMQGr6KyP3TWJqFw9YbJcA==;
Received-SPF: pass (pan.w3.org: domain of ietf.org designates 50.223.129.194 as permitted sender) client-ip=50.223.129.194; envelope-from=noreply@ietf.org; helo=mail.ietf.org;
Received: from mail.ietf.org ([50.223.129.194]) by pan.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <noreply@ietf.org>) id 1sbpgs-000Rws-2o for ietf-http-wg@w3.org; Wed, 07 Aug 2024 23:03:35 +0000
Received: from [10.244.2.52] (unknown [104.131.183.230]) by ietfa.amsl.com (Postfix) with ESMTP id D4579C14F682; Wed, 7 Aug 2024 16:03:30 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Nancy Cam-Winget via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
Cc: draft-ietf-httpbis-compression-dictionary.all@ietf.org, ietf-http-wg@w3.org, last-call@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 12.22.0
Auto-Submitted: auto-generated
Message-ID: <172307181050.195.15472875602261483639@dt-datatracker-6df4c9dcf5-t2x2k>
Reply-To: Nancy Cam-Winget <ncamwing@cisco.com>
Date: Wed, 07 Aug 2024 16:03:30 -0700
X-W3C-Hub-Spam-Status: No, score=-3.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DMARC_PASS=-0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: pan.w3.org 1sbpgs-000Rws-2o 4aec73e189b1a31a8aadf18fd36f1042
X-Original-To: ietf-http-wg@w3.org
Subject: Secdir last call review of draft-ietf-httpbis-compression-dictionary-09
Archived-At: <https://www.w3.org/mid/172307181050.195.15472875602261483639@dt-datatracker-6df4c9dcf5-t2x2k>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/52193
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/email/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Reviewer: Nancy Cam-Winget
Review result: Ready

SECDIR review of draft-ietf-httpbis-compression-dictionary-09

Reviewer: Nancy Cam-Winget


I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.


This document defines HTTP headers that can be used for negotiating
for enabling compression by using dictionaries.  The negotiation
defines an external dictionary that provides the mapping or patterns
to decode when compression is enabled.  The document leverages the use
of Brotli (RFC7932) and Standard (RFC8878) as the compression schemes.


The document reads well and I have found no issues but have
One minor question:

Section 2.2
* Is the intent of providing the hash of the "Available-Dictionary"
meant to be for protection or for compression? 

Section 9.1
* To my point in Section 2.2, we presume that all headers are
encrypted and protected, so I think it would depend on what protection
is being achieved. That is, I think it should be stated that if the
header protection is found to be weak, this can be made vulnerable too
(I think this is somewhat covered in 9.2 maybe?)