Re: [secdir] secdir review of draft-alakuijala-brotli-08
Tobias Gondrom <tobias.gondrom@gondrom.org> Thu, 14 April 2016 12:26 UTC
Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B07112E3CF; Thu, 14 Apr 2016 05:26:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.045
X-Spam-Level:
X-Spam-Status: No, score=-101.045 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_DYNAMIC_IPADDR=1.951, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); domainkeys=pass (1024-bit key) header.from=tobias.gondrom@gondrom.org header.d=gondrom.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JIc6IrtkXEM4; Thu, 14 Apr 2016 05:26:21 -0700 (PDT)
Received: from lvps5-35-241-16.dedicated.hosteurope.de (www.gondrom.org [5.35.241.16]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E1A412E3CE; Thu, 14 Apr 2016 05:26:21 -0700 (PDT)
Received: from [192.168.43.211] (ip-109-43-1-24.web.vodafone.de [109.43.1.24]) by lvps5-35-241-16.dedicated.hosteurope.de (Postfix) with ESMTPSA id 4A6B2634BA; Thu, 14 Apr 2016 14:26:19 +0200 (CEST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=Sr4sFksnX7D/FSXb63sg/ajeS+i/sXieXUuCHgccYz+zjZ+qxR0N5A9HOLRfrWUDdmvCGipazZ3G9nF9dSqQ9q1KcMLjPTClz9o6SqCDw82MU3bQ6qKVTjNdCRAZXqFDfzS+6CdN1avcDzlS1rLy+hYZi72lrRQV28VTLTnmNNU=; h=Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type;
Message-ID: <570F8C6A.3030807@gondrom.org>
Date: Thu, 14 Apr 2016 14:26:18 +0200
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: dkg@fifthhorseman.net, frank.xialiang@huawei.com, iesg@ietf.org, secdir@ietf.org, draft-alakuijala-brotli.all@ietf.org
References: <C02846B1344F344EB4FAA6FA7AF481F12AF2C416@SZXEMA502-MBS.china.huawei.com> <87bn5guq9l.fsf@alice.fifthhorseman.net> <570D1F4D.6010306@gondrom.org> <871t6abwan.fsf@alice.fifthhorseman.net>
In-Reply-To: <871t6abwan.fsf@alice.fifthhorseman.net>
Content-Type: multipart/alternative; boundary="------------070500020104070505060207"
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/3x7_8l3CjVXmBa0iSflRB2rueug>
Subject: Re: [secdir] secdir review of draft-alakuijala-brotli-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Apr 2016 12:26:22 -0000
On 12/04/16 18:56, Daniel Kahn Gillmor wrote: > On Tue 2016-04-12 12:16:13 -0400, Tobias Gondrom <tobias.gondrom@gondrom.org> wrote: >> in my understanding this ID is _only_ about a compression, not about >> encryption. Therefore it is not even intended to be resistant to the >> attack you describe below. (for proper confidentiality the channel >> would need to be encrypted.) > Agreed, but encryption specs are often _only_ about encryption, even > though they're sometimes layered over a compression protocol. > > I think your argument implies that this warning doesn't belong in either > Security Considerations section (of the compression-less encryption > protocol, or of the encryption-less compression protocol), which makes > me sad. > > Instead, i think we should make people considering either protocol aware > of the risks of the combination. This doesn't have to be a huge edit, > just a short paragraph in the security considerations. > > --dkg Just to be clear: This is just my own humble opinion, just one among many in the community. ;-) It is up to the WG and editors to decide. Cheers, Tobias
- [secdir] secdir review of draft-alakuijala-brotli… Xialiang (Frank)
- Re: [secdir] secdir review of draft-alakuijala-br… Daniel Kahn Gillmor
- Re: [secdir] secdir review of draft-alakuijala-br… Tobias Gondrom
- Re: [secdir] secdir review of draft-alakuijala-br… Daniel Kahn Gillmor
- Re: [secdir] secdir review of draft-alakuijala-br… Tobias Gondrom
- Re: [secdir] secdir review of draft-alakuijala-br… Zoltan Szabadka
- [secdir] 答复: secdir review of draft-alakuijala-br… Xialiang (Frank)