[secdir] Re: draft-ietf-ohai-chunked-ohttp-07 telechat Secdir review
Martin Thomson <mt@lowentropy.net> Sun, 08 February 2026 23:54 UTC
Return-Path: <mt@lowentropy.net>
X-Original-To: secdir@mail2.ietf.org
Delivered-To: secdir@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 348A7B3C31F1; Sun, 8 Feb 2026 15:54:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.799
X-Spam-Level:
X-Spam-Status: No, score=-2.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b="cizU8XfR"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="Zz9TEgZk"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XhuSZ9WreH0A; Sun, 8 Feb 2026 15:54:33 -0800 (PST)
Received: from fhigh-a2-smtp.messagingengine.com (fhigh-a2-smtp.messagingengine.com [103.168.172.153]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 0B338B3C31EB; Sun, 8 Feb 2026 15:54:30 -0800 (PST)
Received: from phl-compute-04.internal (phl-compute-04.internal [10.202.2.44]) by mailfhigh.phl.internal (Postfix) with ESMTP id EEA60140013A; Sun, 8 Feb 2026 18:54:29 -0500 (EST)
Received: from phl-imap-15 ([10.202.2.104]) by phl-compute-04.internal (MEProxy); Sun, 08 Feb 2026 18:54:29 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=cc:cc:content-transfer-encoding:content-type:content-type :date:date:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:subject:subject:to:to; s=fm1; t=1770594869; x=1770681269; bh=N+GJua/yysqew4U9hIQC/i+3HiSWTi/l OV99N0JbqCk=; b=cizU8XfRixbC2vCOI7Gl0y0kY+47/PSSos6MN3pBaWZJ9n/M LX45UNAtlg9lx2a5y0zPN6owpO9BdSSEAijY2FDf1WiqAuM/Hfyz0HRkhZLkc2C9 47ICxgmMFMJb417e4ama+VNHgfhLrhJcPkqXNDK33yiTrNwfZMmwutJjsK/4jjFm fGunGoYnLwQyLPIdWC3SfOE7pT/b3LvMS9Nd+hl38wfh25o+u36vI94AcdFEx1aR gypdyR0ltxCMvr5QkWmBA8Re7WmwuArcApO1p9fWJIXu5oVcqDXRUHqVtjXD/1ZM mUjltmm8xj6uyNQNkIkvYuPFpfOdxkc48xyGPQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1770594869; x= 1770681269; bh=N+GJua/yysqew4U9hIQC/i+3HiSWTi/lOV99N0JbqCk=; b=Z z9TEgZk2k6FrlcwQ9pmLmMppK1A1z82ScnE/gBdPaNcH3LshG6NhGwDseDkduWPu uyBruqY/54YJ87busz6LI0qjh45HL7FmMANAPRPoKyaJH81wfo2xMrMGdg+/e5q9 guwafbQhYqFaIAnQPv+665FaWrCod2MoIAM8Mdp4iolAMqJTUZ5zNdnQKKyZ52BT LS87Q5p0GeLkPd9UgdQdBA15Hs3ncwImJ9NotqEeYm+uW1li631O7ZfKFVn8pG2K M5EBq7PP3b0HUlIAXCQnypTV+frIJrUN4p6AsmBsdA4KWu+KOvezt8LLVFa87d2q aQ8I5TD3Qn7+v1n6EAmjA==
X-ME-Sender: <xms:NSKJaVYSe12ztu5dmLYAFkAeKUMOnuI7KO5vzGjLH2Ozz8QU1xjDmw> <xme:NSKJaXPmtraLaBFeGzbv4eLN_AVntEI9qdAnUsIYLvdP4LINUdUYPZaDZeN0Cx5HF jKIk5clwDGPzcw5I_XgPwNFFsqvHIkIaEODYki7hcuwu7JJXSuCHSpu>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefgedrtddtgdduleehfedtucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu rghilhhouhhtmecufedttdenucenucfjughrpefoggffhffvvefkjghfufgtgfesthejre dtredttdenucfhrhhomhepfdforghrthhinhcuvfhhohhmshhonhdfuceomhhtsehlohif vghnthhrohhphidrnhgvtheqnecuggftrfgrthhtvghrnhepgeffheehffevvedvleekle fgleejveeiieehfeelgefhudevveduleefvdettdeunecuffhomhgrihhnpehgihhthhhu sgdrtghomhenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhroh hmpehmtheslhhofigvnhhtrhhophihrdhnvghtpdhnsggprhgtphhtthhopeehpdhmohgu vgepshhmthhpohhuthdprhgtphhtthhopeguughpsegvlhgvtghtrhhitgdqlhhofhhtrd horhhgpdhrtghpthhtohepughrrghfthdqihgvthhfqdhohhgrihdqtghhuhhnkhgvugdq ohhhthhtphdrrghllhesihgvthhfrdhorhhgpdhrtghpthhtoheplhgrshhtqdgtrghllh esihgvthhfrdhorhhgpdhrtghpthhtohepohhhrghisehivghtfhdrohhrghdprhgtphht thhopehsvggtughirhesihgvthhfrdhorhhg
X-ME-Proxy: <xmx:NSKJafEPWY3RTnzEHe8rYhmLQ50qBKguU7b_xHTxdWAtC4IZ41Qp4w> <xmx:NSKJaTM2l_6vE_oPEEWDSiniGRpFNe8aCNuE02CoKw2JAr8DmNafgA> <xmx:NSKJaZd4KhWkH_mZnc1_niaxMZlOj24DlBygSX565nNht3KXy_VkFA> <xmx:NSKJaYssQs4PQ7-aXItJ5jO81YzyGEOCYxAF2km37XrNJSY3KsMkIQ> <xmx:NSKJaRB0N-EbPs4nwak-G9NjlfQWIGwQkkqdZvpckPdR4nxhWbmTGKdE>
Feedback-ID: ic129442d:Fastmail
Received: by mailuser.phl.internal (Postfix, from userid 501) id 9F17E780070; Sun, 8 Feb 2026 18:54:29 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
MIME-Version: 1.0
X-ThreadId: AQrQdmX6JhmV
Date: Mon, 09 Feb 2026 10:54:08 +1100
From: Martin Thomson <mt@lowentropy.net>
To: Derrell Piper <ddp@electric-loft.org>, secdir@ietf.org
Message-Id: <41d974c0-8918-4d63-a4a2-d34da9991de0@betaapp.fastmail.com>
In-Reply-To: <177038817655.509987.1640670815931023936@dt-datatracker-6bcfd44575-g5gjh>
References: <177038817655.509987.1640670815931023936@dt-datatracker-6bcfd44575-g5gjh>
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Message-ID-Hash: 6YDTQLGQIDX7J6M2IMEBWI7XK6VWGVAA
X-Message-ID-Hash: 6YDTQLGQIDX7J6M2IMEBWI7XK6VWGVAA
X-MailFrom: mt@lowentropy.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-secdir.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "draft-ietf-ohai-chunked-ohttp.all@ietf.org" <draft-ietf-ohai-chunked-ohttp.all@ietf.org>, last-call@ietf.org, ohai@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [secdir] Re: draft-ietf-ohai-chunked-ohttp-07 telechat Secdir review
List-Id: Security Area Directorate <secdir.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/aNgu5rGy2z8kHvnbsOCUzuMJH58>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Owner: <mailto:secdir-owner@ietf.org>
List-Post: <mailto:secdir@ietf.org>
List-Subscribe: <mailto:secdir-join@ietf.org>
List-Unsubscribe: <mailto:secdir-leave@ietf.org>
Hi Derrell, Thanks again for spending the time on this: https://github.com/ietf-wg-ohai/draft-ohai-chunked-ohttp/pull/59 has the changes I noted below (and some besides). I've added some notes to the pull request in addition to the below. On Sat, Feb 7, 2026, at 01:29, Derrell Piper via Datatracker wrote: > I'd suggest adding a normative statement along these lines: > > "Clients that depend on unlinkability SHOULD avoid interactive > exchanges. Applications that require interactivity SHOULD > document the reduced privacy properties compared to base OHTTP > or non-interactive chunked OHTTP." Unlinkability isn't quite the right measure here. The risk to unlinkability comes from the additional information that the gateway (and others) might gain via interactivity. That is, an attempt to link requests might be able to isolate based on RTT or other information from interaction patterns. But there is also the potential to leak something about geographic or network location that is still a privacy risk, even when it does not improve the ability to link requests. Still, it's good suggestion. I've made a tweak along the lines you describe, recommending against interactivity and requesting an analysis of the privacy risk if it is needed. As a side note, I don't think that interactivity is a great reason to use this format. For interactivity, much of the latency advantage can be obtained by using a proxy, TLS, and 0-RTT. Incremental processing has always been the key feature for me, personally. So I'm down for stronger language discouraging interactivity. > The conclusion "no message can exceed 2^40 bytes" ... https://github.com/ietf-wg-ohai/draft-ohai-chunked-ohttp/pull/48/changes is where the change was made (since then, the other draft has changed and the section reference needs to be updated, which I've done. The analysis is simple. Here's the base formula for AEA: q + v <= min( sqrt(p) * 2^76, p * 2^126 / (L * B) ) For p = 2^-50, the first term is 2^51, so we ignore that. So we have: q + v <= 2^76 / L / B Now, L and B are in 2^4 byte blocks because we assume the worst case for this and they are the same value then (the number of blocks under a single key and the number of bytes under any key; if you chunk things, you can get larger or more messages, which I've noted). So you have: num_of_messages * length_in_bytes^2 <= 2^80 So that is how we got to the 1 million queries (2^20) => length of 2^30. And you are right to check. I don't have the working for the original change. It looks like a straight up error. (Also, redoing this sort of analysis makes me wonder if either our security targets are too conservative, our ciphers are too weak, or both...)
- [secdir] draft-ietf-ohai-chunked-ohttp-07 telecha… Derrell Piper via Datatracker
- [secdir] Re: draft-ietf-ohai-chunked-ohttp-07 tel… Martin Thomson