[secdir] Secdir last call review of draft-ietf-httpbis-compression-dictionary-09
Nancy Cam-Winget via Datatracker <noreply@ietf.org> Wed, 07 August 2024 23:03 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from [10.244.2.52] (unknown [104.131.183.230]) by ietfa.amsl.com (Postfix) with ESMTP id D4579C14F682; Wed, 7 Aug 2024 16:03:30 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Nancy Cam-Winget via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 12.22.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <172307181050.195.15472875602261483639@dt-datatracker-6df4c9dcf5-t2x2k>
Date: Wed, 07 Aug 2024 16:03:30 -0700
Message-ID-Hash: MI2O5RBV5Z4ACWJ6WERG2PQUNS64VK6Z
X-Message-ID-Hash: MI2O5RBV5Z4ACWJ6WERG2PQUNS64VK6Z
X-MailFrom: noreply@ietf.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-secdir.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: draft-ietf-httpbis-compression-dictionary.all@ietf.org, ietf-http-wg@w3.org, last-call@ietf.org
X-Mailman-Version: 3.3.9rc4
Reply-To: Nancy Cam-Winget <ncamwing@cisco.com>
Subject: [secdir] Secdir last call review of draft-ietf-httpbis-compression-dictionary-09
List-Id: Security Area Directorate <secdir.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/c7C85J8aOmItlttjwLrgUwRY4F0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Owner: <mailto:secdir-owner@ietf.org>
List-Post: <mailto:secdir@ietf.org>
List-Subscribe: <mailto:secdir-join@ietf.org>
List-Unsubscribe: <mailto:secdir-leave@ietf.org>
Reviewer: Nancy Cam-Winget Review result: Ready SECDIR review of draft-ietf-httpbis-compression-dictionary-09 Reviewer: Nancy Cam-Winget I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document defines HTTP headers that can be used for negotiating for enabling compression by using dictionaries. The negotiation defines an external dictionary that provides the mapping or patterns to decode when compression is enabled. The document leverages the use of Brotli (RFC7932) and Standard (RFC8878) as the compression schemes. The document reads well and I have found no issues but have One minor question: Section 2.2 * Is the intent of providing the hash of the "Available-Dictionary" meant to be for protection or for compression? Section 9.1 * To my point in Section 2.2, we presume that all headers are encrypted and protected, so I think it would depend on what protection is being achieved. That is, I think it should be stated that if the header protection is found to be weak, this can be made vulnerable too (I think this is somewhat covered in 9.2 maybe?)
- [secdir] Secdir last call review of draft-ietf-ht… Nancy Cam-Winget via Datatracker
- [secdir] Re: Secdir last call review of draft-iet… Patrick Meenan
- [secdir] Re: Secdir last call review of draft-iet… Patrick Meenan
- [secdir] Re: Secdir last call review of draft-iet… Nancy Cam-Winget (ncamwing)