[secdir] Secdir last call review of draft-ietf-httpbis-zstd-window-size-01
Tim Hollebeek via Datatracker <noreply@ietf.org> Tue, 30 July 2024 17:59 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from [10.244.2.81] (unknown [104.131.183.230]) by ietfa.amsl.com (Postfix) with ESMTP id A447EC151535; Tue, 30 Jul 2024 10:59:07 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Tim Hollebeek via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 12.19.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <172236234726.1988233.10638684912150320147@dt-datatracker-659f84ff76-9wqgv>
Date: Tue, 30 Jul 2024 10:59:07 -0700
Message-ID-Hash: 34TXCCKOTEXLOCHPXFLGETLHPXG2NA2Z
X-Message-ID-Hash: 34TXCCKOTEXLOCHPXFLGETLHPXG2NA2Z
X-MailFrom: noreply@ietf.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-secdir.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: draft-ietf-httpbis-zstd-window-size.all@ietf.org, ietf-http-wg@w3.org, last-call@ietf.org
X-Mailman-Version: 3.3.9rc4
Reply-To: Tim Hollebeek <tim.hollebeek@digicert.com>
Subject: [secdir] Secdir last call review of draft-ietf-httpbis-zstd-window-size-01
List-Id: Security Area Directorate <secdir.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/OiIkUuMmB2D2xXrYUaMp20xrz54>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Owner: <mailto:secdir-owner@ietf.org>
List-Post: <mailto:secdir@ietf.org>
List-Subscribe: <mailto:secdir-join@ietf.org>
List-Unsubscribe: <mailto:secdir-leave@ietf.org>
Reviewer: Tim Hollebeek Review result: Ready This is rather unimportant, but I just wanted to mention it in case the authors find it useful. Feel free to ignore. The document states that there are no new security considerations, but that's perhaps not quite true. I think it might be useful to call out that an implementation cannot rely on its peer behaving correctly, so implementers will have to take into account they may still receive oversized frames from misbehaving clients. This is arguably no different from the situation today, so it can be argued that the current considerations are accurate. I just thought it might be useful to call it out so some engineer doesn't remove validation checks since the other side is supposed to behave now. Just because we have standards, doesn't mean that everyone complies.
- [secdir] Secdir last call review of draft-ietf-ht… Tim Hollebeek via Datatracker
- [secdir] Re: Secdir last call review of draft-iet… Nidhi Jaju