Re: [secdir] Secdir last call review of draft-ietf-httpbis-encryption-encoding-08

Robert Sparks <> Thu, 06 April 2017 14:47 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 54A6F1294B9; Thu, 6 Apr 2017 07:47:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.88
X-Spam-Status: No, score=-1.88 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2MZ4NyIdU-QA; Thu, 6 Apr 2017 07:47:13 -0700 (PDT)
Received: from ( [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BDA8C129457; Thu, 6 Apr 2017 07:47:13 -0700 (PDT)
Received: from unescapeable.local ([]) (authenticated bits=0) by (8.15.2/8.15.2) with ESMTPSA id v36ElBKd026308 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Thu, 6 Apr 2017 09:47:12 -0500 (CDT) (envelope-from
X-Authentication-Warning: Host [] claimed to be unescapeable.local
To: Martin Thomson <>
References: <> <>
Cc: "" <>,, "" <>, HTTP Working Group <>
From: Robert Sparks <>
Message-ID: <>
Date: Thu, 6 Apr 2017 09:47:08 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [secdir] Secdir last call review of draft-ietf-httpbis-encryption-encoding-08
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 06 Apr 2017 14:47:15 -0000

On 4/5/17 5:32 PM, Martin Thomson wrote:
> On 6 April 2017 at 06:47, Robert Sparks <> wrote:
>> My only concern is that the document suggests it would be ok to use a
>> counter to provide a unique salt value
>> for each message. I suspect that provides the kind of information leak
>> the draft discusses avoiding.
> Hi Robert, can you explain what sort of leakage you are concerned
> about?  I mean, I can understand how you could construct the sequence
> of resources that were encrypted using a counter for the salt, but I
> don't know what that might imply.
Things like these:

- A third party that could see that sequence would know if there were gaps.

- If creation or transmission time can be approximated (perhaps via file 
   the third party can more quickly assess the rate of creation, and 
have a strong
   idea of when to look for the next one.

Of course for both of those, the 3rd party would need to somehow know the
content came from the same source, but it's easy to see systems built 
using this
that would expose that.
> That said, I think that the counter thing can be removed.  We require
> 128 bits of salt, which is a space that is large enough to select
> randomly from in perpetuity.
That would be my personal preference.