[secdir] Re: Secdir last call review of draft-ietf-httpbis-compression-dictionary-09
"Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com> Thu, 08 August 2024 03:43 UTC
Return-Path: <ncamwing@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B6DFC151073; Wed, 7 Aug 2024 20:43:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.742
X-Spam-Level:
X-Spam-Status: No, score=-9.742 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_HELO_PERMERROR=0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TuZMwWJQx2zc; Wed, 7 Aug 2024 20:43:27 -0700 (PDT)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1875BC14F705; Wed, 7 Aug 2024 20:43:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=19266; q=dns/txt; s=iport; t=1723088607; x=1724298207; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=o97IgEhFTZ0ArxBHyOoCFrX4iJF6ekYxviNGBU3enR4=; b=lEXlwSwR6MBux8Ko1x/NsbWuNKw6XUInnEzbs0AwBoE3Iu5/jU67ug+I d3eBUAjrUBZId0+g3Nc1OFYAvXbmUkpPNFEm9SNwXQ5FV9yY9hvayiq2t iVdkCH0WnRxsvQIe2MIBwyiCwydQztS7WisChPdVtqHSqvePrXSToczev s=;
X-CSE-ConnectionGUID: rJiJslZzS8m6ddQ3zSrPDA==
X-CSE-MsgGUID: w0pXZ61nR/ibYfSLr92gHA==
X-IPAS-Result: A0DKAADKPbRmmIMNJK1aHgEBCxIMZYEfC4FBMSooewKBHEiEVYNMA4UtiHIDlzw6gTqEYYElA1YPAQEBDQEBRAQBAYUGAhaJPAImNAkOAQIEAQEBAQMCAwEBAQEBAQEBAQUBAQUBAQECAQcFFAEBAQEBAQEBNwUOO4YChl0BAQEBAxIRVhACAQgOAwMBAh4KAwICAi8UCQgCBA4FCBqCXgGCHEgDAVWgIwGBQAKKKHqBMoEB4B2BSIhKASiBMgIOg3gBG4IogjMIHxuCDYEVQoJoPoQrGh4WgyU6gi8EhhtIK4MIQYFKgRyBCkKCMBo6D4INAQkIgQo3U4EyggYMgUiBPXwmTWeGNmGIaVJ1IgMmMyECEQFVExcLCQWJSQqBeYEqKYFLJoEMgwuBNRODZoFnDBJPiFSBDoE+gV4Bg0BLg16Bf0I/gll0ViQdQAMLbT0UIRQbBQSBNQWjSgSCEYItCCBCAQMvIxgLWQREEgIHBi8BGAY0EZJcg2+LOI5RlQwKhBWbSIYnF4QFk32RWmSYcKNjhQkCBAIEBQIPAQEGgTM0OjuBIHAVgyJSGQ+OLA4JgQwBCM4QeDsCBwEKAQEDCY1tAQE
IronPort-PHdr: A9a23:ZegazhKY7KGr6wl7x9mcuVQyDhhOgF28FgcR7pxijKpBbeH5uZ/jJ 0fYo/5qiQyBUYba7qdcgvHN++D7WGMG6Iqcqn1KbpFWVhEEhMlX1wwtCcKIEwv6edbhbjcxG 4JJU1oNwg==
IronPort-Data: A9a23:gk6hyKsxqWdIlZOVWg1Qjhca2+fnVI9eMUV32f8akzHdYApBsoF/q tZmKTiFPqyPZTb9Ktp0a4qy8hhTsJHXm4U2SgI4+yswFnkSgMeUXt7xwmUckM+xwmwvaGo9s q3yv/GZdJhcokf0/0rrb/646yEhiMlkf5KkYMbcICd9WAR4fykojBNnioYRj5Vh6TSDK1vlV eja/YuHaTdJ5xYuajhIs/Lb90s01BjPkGpwUmIWNKgjUGD2zxH5PLpHTYmtIn3xRJVjH+LSb 47r0LGj82rFyAwmA9Wjn6yTWhVirmn6ZFXmZtJ+AsBOszAazsAA+v9T2Mk0NS+7vw60c+VZk 72hg3AfpTABZcUgkMxFO/VR/roX0aduoNcrKlDn2SCfItGvn3bEm51T4E8K0YIw4MR2I3pKx +4jeDVTYhy63PCN2oqXY7w57igjBJGD0II3s3Vky3TSCuwrBMmFSKTR7tge1zA17ixMNa+BP IxCN3w2N1KZOEQn1lQ/UPrSmM+ujXD6bDxep3qepLE85C7YywkZPL3FaoGFJYbRHZ4M9qqej n2e51TLXEgcDpuewwuLyVa217XAvQquDer+E5Xjq6Y12wfMroAJMzUSXECn5PKwjkqWWt9DJ QoT4CVGhaQo/UK3C9jwQxP9oGKYphQdQJ9bFOgi8gyW0avT5UOVB2MYTzlHYcY38sYyQRQr2 0OH2dTzClRHq7CeRXOH3raZsT30PjIaRVLufgcNSQ8DptLkuox211TET81oF+i+idid9SzML y6itgo/pa4Xv9wwh6Dl8Vz+2CCXvKDlZ1tgjunIZV6N4gR8bY+jQoWn71nH8PpNRLp1qHHf4 RDofODAsIgz4YGxqcCbfAka8FiUCxutOTnYhxtkGIMssm3r8H+4docW6zZ7TKuIDirmUWG3C KMwkVoNjHO2AJdMRfQpC25WI592pZUM7fy/CpjpgiNmO/CdjjOv8iB0flK31GvwikUqmqxXE c7EK5z9UipGVPU6lWPeqwIhPVkDm35WKYT7GM+T8vhb+eDHDJJoYe5faQLVP7pRAF2s+1WNo 4s32zS2J+V3C7CmPXKNrub/3HgBLGMwAtjtutdLe+uYagtgEydJNhMi6e1JRmCRpIwMzr2g1 ijkAidwkQOj7VWZcl/iQi44N9vSsWNX8ChT0doEZwj4ghDOoO+Hsc8iSnfAVeJ8rbA4naUrE aVtlgfpKq0ndwkrMg81NPHVhIdjbx+swwmJOkKYjPIXJvaMmyShFgfYQzbS
IronPort-HdrOrdr: A9a23:h5d9Ia8K2JD5DaMfYzpuk+GRdr1zdoMgy1knxilNoENuA6+lfp GV/MjziyWUtN9IYgBfpTnhAsW9qXO1z+8S3WBjB8bSYOCGghrlEGgM1/qZ/9SNIVybygcZ79 YeT0EcMqy+MbEZt7eG3ODQKb9Jq7f3ktHMuQ6d9QYQcegAUdAY0+4NMHfhLqQAfng/OXNWLu v62uN34xCbVTA8aMO9CnMZX+7FieHqufvdCyIuNloM0iXLqSmnxoLbPnGjsyv2VQkh/Z4StU z+1yDp7KSqtP+2jjXG0XXI0phQkNz9jvNeGc2lkKEuW3TRozftQL4kd6yJvTgzru3qwk0tis PwrxApONk2w2/Nf1uyvQDm12DboXYTAj7ZuBylaEnY0InErQEBeo58bEViA1zkAn8bzZNBOW RwriSkXtRsfEr9dW/Glqj1vllR5zmJSDwZ4KAuZ7g1a/pEVFeXxrZvpH99AdMOGjn355sgF/ QrBMbA5OxOeVffdHzBuHJzqebcFUjbMy32C3TqgPblmwR+jTR81Q8V1cYflnAP+NY0TIRF/f 3NNuBtmKtVRsEbYKphDKNZKPHHR1DlUFbJKiafMF7nHKYINzbErIP2+qw84KWvdIYTxJU/lZ zdWBdTtHI0eUjpFcqStac7uCzlUSG4R3Dg28te7592tvn1Q6fqKzSKTBQ0n86ps5wkc7vmsj aISeVr6tPYXB/T8Nxyrn/DsrFpWAwjbPE=
X-Talos-CUID: 9a23:Qi4h12BiAjbmBF/6EzNF9WwPHvI3SS3YknvcGhSqMnxRZJTAHA==
X-Talos-MUID: 9a23:G8egMAh9MVy81fUH+2U2/8MpK59w05bwUUY31pQMise/ETYhYTi9pWHi
X-IronPort-Anti-Spam-Filtered: true
Received: from alln-core-1.cisco.com ([173.36.13.131]) by rcdn-iport-6.cisco.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 08 Aug 2024 03:43:25 +0000
Received: from alln-opgw-2.cisco.com (alln-opgw-2.cisco.com [173.37.147.250]) by alln-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id 4783hPKe031512 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 8 Aug 2024 03:43:25 GMT
X-CSE-ConnectionGUID: DhyrvbaWR5Gn8ZIdA7i/rQ==
X-CSE-MsgGUID: w/45q++lR3ewQPA3FLlQeQ==
Authentication-Results: alln-opgw-2.cisco.com; dkim=pass (signature verified) header.i=@cisco.com
X-IronPort-AV: E=Sophos;i="6.09,271,1716249600"; d="scan'208,217";a="10590989"
Received: from mail-mw2nam10lp2041.outbound.protection.outlook.com (HELO NAM10-MW2-obe.outbound.protection.outlook.com) ([104.47.55.41]) by alln-opgw-2.cisco.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 08 Aug 2024 03:43:24 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=Y0oV9cWzwAMyqI1z6UgpSDe+adeLd8XmBi2s8UoPtTFA7piBCnsnljIeWSPxtM5sqQHnqRrdTpg+Q1KLs8+/gOQxTv3Up2igsSaG/gKRvl89/ttMq9AlxPb/sDfu2LjG/O4FprVGgiu6wm0jZlggS1AkbrH8YBLt8UM3QGvGLS3/tw9gOihK7v++UiMQ/JfQxAlz18jmLDWhY9NapajlkRJR1ZjDZr4zyeMHCTy7zV+ha4tWW+ZIbLScGsb/lqXHLc4jJv9gXrS3/ldCVCpEsr4cqzovorJJGSKYhWzq7Icv6gCiQvA4jT/Msdl4m7PTzV/DRk+oCwqI2DXsylWbzw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=o97IgEhFTZ0ArxBHyOoCFrX4iJF6ekYxviNGBU3enR4=; b=t6UJfS1NGKRdFs8hoZeP/MrSJnPD+fX3kFQQhTJVgj2jA9j/KHJ0k17IQkdJRiF5XAZXfAgx29P0DCeUXEoeOlzgYekH0/dpJb0y/BgQABOMna4Udwz8sCppfiWc86LYyu7RhTuvIqWTr7Ta9ubmK9Wi2agxFw8f8a4/7/avq6KVMFP16l6rzXeDspDcx582FY82lR7yd88UOQByeDn5AmFsKYmFp2k/kqBu5TGOAanKpmxkPOl7hCg8L6v8P2JbybwxEPX12eBJwhYjwpzzvuNAnZVxiCofSnnxuzmnZZh+k4Hhw4wI5nuHsohikq13PoaKJNx9Wlnx6YUuzyWSrw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
Received: from PH7PR11MB7607.namprd11.prod.outlook.com (2603:10b6:510:279::21) by MW4PR11MB6837.namprd11.prod.outlook.com (2603:10b6:303:221::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7828.23; Thu, 8 Aug 2024 03:43:22 +0000
Received: from PH7PR11MB7607.namprd11.prod.outlook.com ([fe80::360a:e6b3:4e03:2491]) by PH7PR11MB7607.namprd11.prod.outlook.com ([fe80::360a:e6b3:4e03:2491%4]) with mapi id 15.20.7828.016; Thu, 8 Aug 2024 03:43:22 +0000
From: "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>
To: Patrick Meenan <pmeenan@google.com>
Thread-Topic: Secdir last call review of draft-ietf-httpbis-compression-dictionary-09
Thread-Index: AQHa6SNGxN3Kl0cTV0CYO8ml9c2cC7IcdjqAgABA1b4=
Date: Thu, 08 Aug 2024 03:43:22 +0000
Message-ID: <PH7PR11MB760735A2DCFCA6A15F33E226D6B92@PH7PR11MB7607.namprd11.prod.outlook.com>
References: <172307181050.195.15472875602261483639@dt-datatracker-6df4c9dcf5-t2x2k> <CACPgMqWT_jaqM2U94oV9=GX-iQL_3WwCAxrazQgZinODWoP2Ew@mail.gmail.com> <CACPgMqWURj5ib98w=BV3NjCg=o632erMfWOPA0fFvJDAH4Kn2w@mail.gmail.com>
In-Reply-To: <CACPgMqWURj5ib98w=BV3NjCg=o632erMfWOPA0fFvJDAH4Kn2w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PH7PR11MB7607:EE_|MW4PR11MB6837:EE_
x-ms-office365-filtering-correlation-id: 2ea0136f-e9d5-45f0-6ea8-08dcb75c4054
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|366016|376014|38070700018;
x-microsoft-antispam-message-info: jVvMQFu1+ycU4qUplK+WBSULDa7OqJJ/HxV5HRgEs/cwOLan/E4UZ4t474PCporSCP3Tv+Tja0iHg0LWHTBzGRE0AoeQYYQM583h6r620Ia5+6OHq0UpEbBFRaQq6R8Iq5uIs0ibC2fVsyV4zJir+3PwFN63taQe9DPLYB8+dRjeayBBQ20mR438HwqjFymUXOPnPWnKOep3plK2TXJcem76eIPgwXXOElUNSqb8C7gPEgttqP0C4jotfEDLoUkCCK4ZsKVDJ/YDKKPxOr1DUhj0li+b5jKeCbycIpgqItxfCbjBb+Ntll2R8sfHas2nA2VYBraLJZnKtSQSU+ISC97/TGOk7vRrCbmQc3Hli3YJMVvQRHjW5s1/X3IigcbwpajfLNe9Y7DBqfx97wSjtQSzyAm9QUg6MzobG8/EVW7B7d3QgCT7XYLfkkHD4uum5bN3JQA6pbG7jwGqkv6UrkaSn6c2KRZEYtVGvdpiok6hMpgv1ydRZWgMPcz9mvXWVIH8ED8zcgiMhqr+gIKeL2CPj7EUl5Uv7bvwgu1/lG57EG+q0LEJlp0yPAISk+Y3umWHmVYdoW6UI5ckdvrmQgwy+fIRgDBgunsvecSEmMfiz+G3ayGy6ZIELGY0dbFLF06DeCQ7UQcYGkWW3//JJYOMzYqnD5nRw1nEJEuYnSWZbo/5ijmOWOqaUAlS4lcy9LrvUJCU/+jdg5HZzDjVJC2dcf2zJ3Bw2zECBksqAF+fs+U0VZNLBJCgf7/vUUAqmCCZV6toHJG8RUkyqZXNi9aPGCbPelXnYS7OKfFMhqT6Zt0OOUvylMM/e+CBFPeLubVqe/DDjhQThqmBgOr1/UlsyYiIws/VHMgwSwi8HY4XA6kuDRAfuQOJ0jsKKp64GYKf6JQAVhX4OK0/WPyCdpcxy7ny4B6tvQ7HGwV2GEcYeaq0d0tYr1H0gsKXQ9PTzj7BWvneAmm4W7l4IlrwRl8zHUPt/dxRMwYsLAEZoPdvdly4+ccLx/CwM0iXDpDrG5vhxQ4vqXfxcYkRDt7dklzwsVKuVzFlRjVMN3GDMkXUGS4fYZEo6AGe5JQovJ3baS6nD9TYfsEAa7x5C4iJsmkMfMVZWLAULHnBdWGmEIWPtWJsc2hvURA3uF2TDqGzaH4qOK9vQxxwZNG1Ytt8IzkRA2gmaBOWOdDD9GpC262Be+DhNITut1pUvbknybjK6V+nK5LXxW3fHC4xdZgNvOy1ujGqNbo/hyEoIytJShSPcgAPJzbReTb2V94joMn7Nc0hrE2wJaCjonLcTIrEFEk0uQbT3IoaqLcpdTbBxRif05j9p1AjGjonrN+85/DQjknZiSaZV1GsdCT1cHY+0Z5s7pPSHj1V9LWP3TcYbOVcYLPMqPbC7Hdj3Ylz/yo+iQa69eHqZAfFT3hGjSpUtA==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH7PR11MB7607.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 2UldWMggtgr+gTo382YcjQNld5/WNydaVLi0TxRj7SMhD8+/JlHi1EBQ2zs+j1gkMWMb8IyBtfl664nW9mUbHnWGA9PT5n/5IEAfETp/t7bFcagc88hZEqtK/XyU/22BsS0qBNdiFPfNgAgZ7bPs6IY9GGeOXd9IsAmQOOPrLepnNEWqlDz1GLuxEvd7uXIs39w75QeXa5BU+N178TiA5OTg8asIAqWdYbtOSY7mBVuO1OOUeLEwV5g3suSC8ntZ8n2cLVAXLS7kHjVD903puXpqM9Q5E8LXOhrjnkoAQo3uqPoxDUJYaVU12e6EAhevXOAN139Zz+zIM1LSE7PoNTZldgfSXXPQkx7VhpmF6nmzcHbXXBisCMNAJmP0fYEme8t0a10DjPk8mEPOCSUc87lBCeAMRR0nBIf6JCnEZhCWeNdUTl5RwiA8ARQc2g5LGYtO0ksMet6hzS+D5pQh93MLm3MwFMna6H8qkXo2WbYt8GwVK3ylwg7FcGqieBa7g7a91Mh0k82TMZMxaO3zt6k4sHstk9z7YI3r9KNHsp7eRO5aKtD9aY81MJ9NqJuw+fZIE6lxBP0PrTjdx2UlDDrcnDWtiyEnDwjTc0bUzuhP3ByG9H1A8iKn7xo9ZKugtw2jp57nA4JU1ua7I2aglihEl/Mx1hKaOVdlAGQYZTCjZQHdFChFXJQ0NTeEO4T1UeADVapcpJzeNwjKdC/mmInXk9e38mfFx56SbNfK7EVNZZvfbsenQi7lehSaA3Py5igrfAX78nPHKvJbLoyU3efhZe7czrs0GHMe8qEY2huaauZl07sukwY2SagoKMRXZccB07FTOv6nBudVc/OTok5xctX53Jc1vCIyf5D5YdvJov2EacGvEb0CR5BLQPqgapEjw6/1DB1+LlAzV7uCFJC3gl3iqW1vCiRzKDl1bvSSWwLP9Ye4bC5g5rbWTkow69UT0FgU1nd0VvefDMPTuXVmuYhDFG6PeIs9LvLUpJDdhWtKnGQgC9Zw+CPzqYif7Cvg2KBCevUOFSy4trLndZi3ZTC6ORDyTB8GEhzykSzETAVu1lHHCy1Eixrg4wIAx8IhK94dTlLR33D/miUMrXvFsnpTa+iYgm5Gb6k4wiUWjfl6ykitNTt0eWwveey88yUg8cG66qfEw0MVNmPljmLacSJUtD0//m7zg+dUZ7noYAT59vlBkvr1pc2Yj0FBdSgURLAu1+13KaRZapJ/ip42H1n0bsvkTJ17MIdF1DlDZsulrEdZQyvfGMUYYeUjDv10+SOYfogWj/gIAiXWPSFGh0dnUCuUW0g/AqDyFHBgYihZsXr72Da6eUn862x8QoGW7xpiWeyCUyRifAOdkvTXaHqF/XveRitayBhr8t0T4lDzvf9UOhOTj8fo61zWqX2Ku+G3RePehG4vFBz3H+d6twVdvRPEj1Z4AdaaXyu4vErjdpx8ZrNWXiIOTAhfhQNZ22pUAQFHNW/coHCHIcn/pU4a9W4WI/xnrxYEt+vYrV9rxvlFVfV2izU+0+sgKqJq5HB6KTfXom3Nb4ot7mRSMdDoRPqjjhMCumSFLTlJRKeojTo0VdMPNDmB/LVTP0zaYG3FC5JlBBMcyVP8Tw==
Content-Type: multipart/alternative; boundary="_000_PH7PR11MB760735A2DCFCA6A15F33E226D6B92PH7PR11MB7607namp_"
MIME-Version: 1.0
X-OriginatorOrg: cisco.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH7PR11MB7607.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2ea0136f-e9d5-45f0-6ea8-08dcb75c4054
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Aug 2024 03:43:22.3888 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: QM//p3Rnxg2lXQTjulP6OwDIVOYcw+uZcsI2XhXeAfrUD71dSbNtJ4ohhvkpp+8H/xyoHXU1iUmiCx4AHY0wGA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW4PR11MB6837
X-Outbound-SMTP-Client: 173.37.147.250, alln-opgw-2.cisco.com
X-Outbound-Node: alln-core-1.cisco.com
Message-ID-Hash: PG6X6ICCGFEX5ABTZFSRFHKQTQAONAYQ
X-Message-ID-Hash: PG6X6ICCGFEX5ABTZFSRFHKQTQAONAYQ
X-MailFrom: ncamwing@cisco.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-secdir.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-httpbis-compression-dictionary.all@ietf.org" <draft-ietf-httpbis-compression-dictionary.all@ietf.org>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>, "last-call@ietf.org" <last-call@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [secdir] Re: Secdir last call review of draft-ietf-httpbis-compression-dictionary-09
List-Id: Security Area Directorate <secdir.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/YfAUPgIPRZnNuiATaBeaZesIq5c>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Owner: <mailto:secdir-owner@ietf.org>
List-Post: <mailto:secdir@ietf.org>
List-Subscribe: <mailto:secdir-join@ietf.org>
List-Unsubscribe: <mailto:secdir-leave@ietf.org>
Hi Pat, Thanks for the clarifications, I can see the benefit for using hashes for quick lookup….my first quick read of section 9 made me pause as there was a remark on the need to replace sha-256 is a weakness is found. But on a slower read, it does qualify the protections served. Thanks for confirming that of course. Best, nancy From: Patrick Meenan <pmeenan@google.com> Date: Wednesday, August 7, 2024 at 4:48 PM To: Nancy Cam-Winget (ncamwing) <ncamwing@cisco.com> Cc: secdir@ietf.org <secdir@ietf.org>, draft-ietf-httpbis-compression-dictionary.all@ietf.org <draft-ietf-httpbis-compression-dictionary.all@ietf.org>, ietf-http-wg@w3.org <ietf-http-wg@w3.org>, last-call@ietf.org <last-call@ietf.org> Subject: Re: Secdir last call review of draft-ietf-httpbis-compression-dictionary-09 Quick follow-up... As an example of where it makes deployment a little easier, for the case of static resources (like a Javascript bundle) where the deltas are generated at build time and stored as something like "example.js.<hash>.brd", The serving path for the resource doesn't need to calculate the hash of example.js when it is served and doesn't need to make sure the ID matches the specific payload. It can be configured to serve a static "Use-As-Dictionary: " response header with just a match path and the same header can work as new versions of the resource roll out. At serving time, if there is an "Available-Dictionary" request header, the server can first check to see if "example.js.<hash>.brd" exists with a matching hash and serve it if there is one (and fall back to the full example.js if there isn't). By varying on the encoding and available-dictionary, any CDN's can cache the dictionary-specific response which minimizes the amount of dynamic logic that needs to run to serve dictionary-compressed deltas. On Wed, Aug 7, 2024 at 7:40 PM Patrick Meenan <pmeenan@google.com<mailto:pmeenan@google.com>> wrote: Thank you for the review. The intent of providing the hash of the "Available-Dictionary" is to be sure that the contents of the dictionary on the client are the same as what the server is using for the compression (more for integrity than anything else). It also acts as a default identifier in the negotiation if an explicit ID isn't provided. Both ZStandard and Brotli also use hashes to verify the dictionary before decompression to prevent corruption but providing it in the request header allows for the server to not send an invalid response in the first place in case the payloads got modified somewhere in the path previously or something else got out of sync. It is allowed (and expected) that there may be multiple dictionaries for the same resource (i.e. version 1.1 of example.js and version 1.2 of example.js both used as dictionaries for version 1.3 for different delta updates) and the hash makes differentiating them automatic (and standard). It's not meant as a protection against explicit attack - that is expected to be handled by the transport itself (encryption, cert verification, etc). An attack on the dictionary or payload would have the same risks and vulnerabilities as an attack on the uncompressed response itself (that part is where the same-origin dictionary/payload requirement comes from). Thanks, -Pat On Wed, Aug 7, 2024 at 7:03 PM Nancy Cam-Winget via Datatracker <noreply@ietf.org<mailto:noreply@ietf.org>> wrote: Reviewer: Nancy Cam-Winget Review result: Ready SECDIR review of draft-ietf-httpbis-compression-dictionary-09 Reviewer: Nancy Cam-Winget I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document defines HTTP headers that can be used for negotiating for enabling compression by using dictionaries. The negotiation defines an external dictionary that provides the mapping or patterns to decode when compression is enabled. The document leverages the use of Brotli (RFC7932) and Standard (RFC8878) as the compression schemes. The document reads well and I have found no issues but have One minor question: Section 2.2 * Is the intent of providing the hash of the "Available-Dictionary" meant to be for protection or for compression? Section 9.1 * To my point in Section 2.2, we presume that all headers are encrypted and protected, so I think it would depend on what protection is being achieved. That is, I think it should be stated that if the header protection is found to be weak, this can be made vulnerable too (I think this is somewhat covered in 9.2 maybe?)
- [secdir] Secdir last call review of draft-ietf-ht… Nancy Cam-Winget via Datatracker
- [secdir] Re: Secdir last call review of draft-iet… Patrick Meenan
- [secdir] Re: Secdir last call review of draft-iet… Patrick Meenan
- [secdir] Re: Secdir last call review of draft-iet… Nancy Cam-Winget (ncamwing)