Secdir last call review of draft-ietf-httpbis-zstd-window-size-01
Tim Hollebeek via Datatracker <noreply@ietf.org> Tue, 30 July 2024 18:00 UTC
Received: by ietfa.amsl.com (Postfix) id 995B2C180B7C; Tue, 30 Jul 2024 11:00:19 -0700 (PDT)
Delivered-To: ietfarch-httpbisa-archive-bis2juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 984D1C137367 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 30 Jul 2024 11:00:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.76
X-Spam-Level:
X-Spam-Status: No, score=-2.76 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=w3.org header.b="Rt9SPfLo"; dkim=pass (2048-bit key) header.d=w3.org header.b="ojJwUZuy"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id drDwZt8jkLzg for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 30 Jul 2024 11:00:17 -0700 (PDT)
Received: from mab.w3.org (mab.w3.org [IPv6:2600:1f18:7d7a:2700:d091:4b25:8566:8113]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F427C169430 for <httpbisa-archive-bis2Juki@ietf.org>; Tue, 30 Jul 2024 11:00:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Subject:Date:Reply-To:Message-ID:Cc:To:From:Content-Type:MIME-Version :In-Reply-To:References; bh=Hhs16mzv1pgQ4xdbrM5sSZwHmQGewQkszAfQUnuYXoI=; b=R t9SPfLoH55UQKdej+3u0fs/U9S3ieJkkfFmUPlVTwxoEImgFlbRfN0B+s93ECfce9qwnbHbVgX2rG 4yckF3arl2Tq6qz+GxuTS5GKsZQBEouIgSLxAxo3FNYPAF305DMXNhR5JR5LkZ7FqPor0K/OY2yvy el6Zo02UmUTQU0Y1jpdvgfjqz01YZbZmY/pA+zzqVqOH8+vmXwNJIz8XngxF3OWyjYwM+ljKGJkKh L1gjbO1xyz4u+X7LpgocHtJgC3/WK1EdllUxKIqNuYfzAQacN0kZ0hydmNsGCJ122fs98LX/Ybq2p OCokN9C9w8dnkj0flPmwhVJwT10A5UwiQ==;
Received: from lists by mab.w3.org with local (Exim 4.96) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1sYr7y-001VXC-0J for ietf-http-wg-dist@listhub.w3.org; Tue, 30 Jul 2024 17:59:14 +0000
Resent-Date: Tue, 30 Jul 2024 17:59:14 +0000
Resent-Message-Id: <E1sYr7y-001VXC-0J@mab.w3.org>
Received: from ip-10-0-0-144.ec2.internal ([10.0.0.144] helo=pan.w3.org) by mab.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <noreply@ietf.org>) id 1sYr7w-001VWG-0b for ietf-http-wg@listhub.w3.internal; Tue, 30 Jul 2024 17:59:12 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Date:Reply-To:Message-ID:Subject:Cc:To:From:Content-Type:MIME-Version :In-Reply-To:References; bh=Hhs16mzv1pgQ4xdbrM5sSZwHmQGewQkszAfQUnuYXoI=; t=1722362352; x=1723226352; b=ojJwUZuyOU+gEVkHmIugaA3GKrbBuC5mC7UW496h+XpJC7U gzimem8lGsHz/qxhJvNBl4JjH4k9Psre03jfzsW23rLidXE3UhI4pEtO8Xks4W9Qtl1k5p7KtqYdU Rr1drWLQI4IBmzPRKOcWIPmcwGIlwqokczAMLHgvHVdwZ98Nbzr4yoWJGBdd3QGN5lSmjkG/a/6mY LmaTjoIpvcIpnE/Vs3SPFVCKo8uwiiYqU1DZFekhDk+bZwX/XqX2ZgkKUgSATMOgcn8a4OtSByy7C 0AJZkyyt6kYZL/MLFbkXl1K/LW81AhQYO71yQz61ICwerKqgo58Tg6bcMOg+GWFA==;
Received-SPF: pass (pan.w3.org: domain of ietf.org designates 50.223.129.194 as permitted sender) client-ip=50.223.129.194; envelope-from=noreply@ietf.org; helo=mail.ietf.org;
Received: from mail.ietf.org ([50.223.129.194]) by pan.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <noreply@ietf.org>) id 1sYr7v-00EnZZ-23 for ietf-http-wg@w3.org; Tue, 30 Jul 2024 17:59:12 +0000
Received: from [10.244.2.81] (unknown [104.131.183.230]) by ietfa.amsl.com (Postfix) with ESMTP id A447EC151535; Tue, 30 Jul 2024 10:59:07 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Tim Hollebeek via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
Cc: draft-ietf-httpbis-zstd-window-size.all@ietf.org, ietf-http-wg@w3.org, last-call@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 12.19.0
Auto-Submitted: auto-generated
Message-ID: <172236234726.1988233.10638684912150320147@dt-datatracker-659f84ff76-9wqgv>
Reply-To: Tim Hollebeek <tim.hollebeek@digicert.com>
Date: Tue, 30 Jul 2024 10:59:07 -0700
X-W3C-Hub-Spam-Status: No, score=-3.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DMARC_PASS=-0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: pan.w3.org 1sYr7v-00EnZZ-23 965e53a67e77e9a7c1a57d814688bd07
X-Original-To: ietf-http-wg@w3.org
Subject: Secdir last call review of draft-ietf-httpbis-zstd-window-size-01
Archived-At: <https://www.w3.org/mid/172236234726.1988233.10638684912150320147@dt-datatracker-659f84ff76-9wqgv>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/52165
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/email/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Reviewer: Tim Hollebeek Review result: Ready This is rather unimportant, but I just wanted to mention it in case the authors find it useful. Feel free to ignore. The document states that there are no new security considerations, but that's perhaps not quite true. I think it might be useful to call out that an implementation cannot rely on its peer behaving correctly, so implementers will have to take into account they may still receive oversized frames from misbehaving clients. This is arguably no different from the situation today, so it can be argued that the current considerations are accurate. I just thought it might be useful to call it out so some engineer doesn't remove validation checks since the other side is supposed to behave now. Just because we have standards, doesn't mean that everyone complies.
- Secdir last call review of draft-ietf-httpbis-zst… Tim Hollebeek via Datatracker
- Re: Secdir last call review of draft-ietf-httpbis… Nidhi Jaju