Re: Shared Dictionaries (SDCH and friends)
Martin Thomson <martin.thomson@gmail.com> Fri, 20 January 2017 04:11 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B8191297EE for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 19 Jan 2017 20:11:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.7
X-Spam-Level:
X-Spam-Status: No, score=-9.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-3.199, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RwlwNCNtO4uw for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 19 Jan 2017 20:11:50 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C257C1297FE for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 19 Jan 2017 20:11:49 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1cUQVz-0007WA-MY for ietf-http-wg-dist@listhub.w3.org; Fri, 20 Jan 2017 04:09:27 +0000
Resent-Date: Fri, 20 Jan 2017 04:09:27 +0000
Resent-Message-Id: <E1cUQVz-0007WA-MY@frink.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by frink.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <martin.thomson@gmail.com>) id 1cUQVu-0007Uk-JY for ietf-http-wg@listhub.w3.org; Fri, 20 Jan 2017 04:09:22 +0000
Received: from mail-yw0-f172.google.com ([209.85.161.172]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <martin.thomson@gmail.com>) id 1cUQVo-000491-9H for ietf-http-wg@w3.org; Fri, 20 Jan 2017 04:09:17 +0000
Received: by mail-yw0-f172.google.com with SMTP id v200so66594370ywc.3 for <ietf-http-wg@w3.org>; Thu, 19 Jan 2017 20:08:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Q8A9hVC5F7xPQVT9GiQ9c3Kk0ynHUnOQoA/XynwKvI4=; b=jruTn0S9nFdiJisu4KAKye1mjRdaQx4cBo4dSM7ImMbr9GZWRgqAwWjJBj0wrZ4Udm W+qCJYQCkJTNBfU4Y8WXiys19oX4RVVZtIuthEKpfTQIep04YpXMy9i3JDDmpFwJNJBB 3jWxPF2bps9KQ1zmOlor+sJFxuh/7c/evHxpJcCZITnSleylaZ7PvSRLYr0Ab9JywP5b j5rwet+JJGroDFG1mrF1RWfrGwx811+2tfq8tmfprDPAsps70yFj1ZVPKQVfLsPXH0nB mP7F2jjSn54NBI4QSYtKltBgGwITDnRJqTKAICugF+gUvgXWGc+1tBVcQpghzTyaOT1N iU0A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Q8A9hVC5F7xPQVT9GiQ9c3Kk0ynHUnOQoA/XynwKvI4=; b=nyk/VlBfl+bxvEKwELkLybnT8rU4XS2KMrthcRrRO+mqN8B+1TH+kez1uperj3zVfA bT7FREcEV1IXy5N4ly8TKdK/xiRjBUTpaTtkdrc63yOGnuZo0g8E8voCU5aJCoxja8/U madNFp610rleNIitcx4zvaGZZJucpqTAWgfI86rjbvXwoGDZglWe7cr5THKL+0xNUe+Y Ue+6Ot2ThruPSjSwmG8PB3HBcy+2qnY3Qz92lDVaRQKy3jTnSwPVs3YR0tuuyjsN5P5J nUhWRzB6mZeKSrLyDzl61br6P0AHDkh2YYCUfV1LiF4wB+p7cPjvB2iEyUM9DPVGgk2o yO9g==
X-Gm-Message-State: AIkVDXKNEMbUIYq1D+ONG/4ohlF8bXs0/CYnRs4PUCNB0Q41ngI68fF6BLUelO8oZ41zTvsD10yG4rG9Z0ZnOQ==
X-Received: by 10.55.27.65 with SMTP id b62mr11338139qkb.202.1484885330228; Thu, 19 Jan 2017 20:08:50 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.19.112 with HTTP; Thu, 19 Jan 2017 20:08:49 -0800 (PST)
In-Reply-To: <6671484884137@webcorp02d.yandex-team.ru>
References: <6671484884137@webcorp02d.yandex-team.ru>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Fri, 20 Jan 2017 17:08:49 +1300
Message-ID: <CABkgnnVYWJ9OhmROnd2NCX=A8_tHyQge0kUp4bTBj5eiRy8sCA@mail.gmail.com>
To: chaals@yandex-team.ru
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="UTF-8"
Received-SPF: pass client-ip=209.85.161.172; envelope-from=martin.thomson@gmail.com; helo=mail-yw0-f172.google.com
X-W3C-Hub-Spam-Status: No, score=-5.8
X-W3C-Hub-Spam-Report: AWL=-0.230, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1cUQVo-000491-9H d3a5c67862b6f1277ef7495114ce4a30
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Shared Dictionaries (SDCH and friends)
Archived-At: <http://www.w3.org/mid/CABkgnnVYWJ9OhmROnd2NCX=A8_tHyQge0kUp4bTBj5eiRy8sCA@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/33342
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hey Chaals, In case you missed the suggestion at the last meeting from Vlad, he suggested that this only be offered for use with fetches with a credentials-mode (See https://fetch.spec.whatwg.org/#concept-request-credentials-mode) of "omit". That is, don't make it possible for the server to use ambient authority (including cookies) to customize the request. I don't think that completely removes the concern, but it helps. I don't think that having tools for separating "possibly under attacker influence" and "secret" is going to solve the issue. That's already possible with existing compression techniques; the concern is over the usability of those tools and the ability to correctly identify data as belonging to each category. On 20 January 2017 at 16:48, <chaals@yandex-team.ru> wrote: > Additionally, since this is a new powerful feature, there is no reason not to restrict it to secure connections. FWIW, the security concerns ONLY apply to secure connections, so you needn't worry about this bit. If you are going to spray your secrets all over the internet, traffic analysis isn't really your most pressing concern.
- Shared Dictionaries (SDCH and friends) chaals
- Re: Shared Dictionaries (SDCH and friends) Martin Thomson