On 9/22/15 at 11:21 AM, basc...@gmail.com (Tony Arcieri) wrote:
On Tue, Sep 22, 2015 at 11:16 AM, Julien ÉLIE <jul...@trigofacile.com>
wrote:
What for protocols that aren't subject to unsafe usage and that were
relying on the compression facility provided by TLS?
Unconditionally removing TLS compression leads to a regression for them.
They can continue using older versions of TLS, or add their own compression
feature. They shouldn't be relying on an encryption protocol to provide
compression.
IMHO, compression adds too many security vulnerabilities to a
general purpose secure communication protocol. I think TLS 1.3
is right in eliminating it. It is too big a foot gun.
I do have a lot of sympathy with those who have been using
compression in previous versions of TLS. Probably the best
solution for them is to have a TLS like library which only does
compression. It could be largely API compatible so switching
between TLS and compression is a relatively easy programming
job. I'll let the TLS implementers say just how hard such a
library would be to produce.
Cheers - Bill
-----------------------------------------------------------------------
Bill Frantz | "The only thing we have to | Periwinkle
(408)356-8506 | fear is fear itself." - FDR | 16345
Englewood Ave
www.pwpconsult.com | Inaugural address, 3/4/1933 | Los Gatos,
CA 95032
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
