Re: [quicwg/base-drafts] QPACK security considerations (#3575)

afrind <> Tue, 05 May 2020 23:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 385F83A0C1F for <>; Tue, 5 May 2020 16:02:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.48
X-Spam-Status: No, score=-1.48 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1NPstymWGcTr for <>; Tue, 5 May 2020 16:02:48 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 098163A0C23 for <>; Tue, 5 May 2020 16:02:47 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 30E8E6A1050 for <>; Tue, 5 May 2020 16:02:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1588719767; bh=xozNUOoWnUN0BCFLsKrZN5ZdRKzG2q8HPi6NioBbTno=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=CAV5j+lEeSyUhvIDiCUzc3M711xZ6BL1TB0IvDIWEWnAmESRGgiYOausf1FTgmFeb k3p6T9PmdjUKeku2/Wo/4AW2ttPv7CbMWXpWEqVsxKdxWXQBKw2C7xgPAP3qGK+6+X 4+eUTweLQqPWqz57heRvVGnCxxGsxIkuagLD6op4=
Date: Tue, 05 May 2020 16:02:47 -0700
From: afrind <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/pull/3575/review/>
In-Reply-To: <quicwg/base-drafts/pull/>
References: <quicwg/base-drafts/pull/>
Subject: Re: [quicwg/base-drafts] QPACK security considerations (#3575)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5eb1f09720a7f_1afc3f8ece2cd96c634c"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: afrind
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 05 May 2020 23:02:50 -0000

@afrind commented on this pull request.

> @@ -1155,6 +1369,19 @@ to an excess of unsent data might include limiting the ability of the peer to
 open new streams, reading only from the encoder stream, or closing the
+## Implementation Limits
+An implementation of QPACK needs to ensure that large values for integers, long
+encoding for integers, or long string literals do not create security
+An implementation has to set a limit for the values it accepts for integers, as
+well as for the encoded length (see {{prefixed-integers}}). In the same way, it
+has to set a limit to the length it accepts for string literals (see

@MikeBishop : I can't quite figure an elegant way to mention the minimum here.  It is already mentioned in the referenced section.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: