On 21 November 2016 at 14:13, Eric Rescorla <e...@rtfm.com> wrote: >> IMO, the compression methods section of ClientHello should be ignored as >> mentioned by Martin Rex. > > I'm not seeing any good reason for this. We don't want anyone to offer > compression and it's not > like it's difficult for 1.3 implementations to not offer it.
I understand Martin Rex's rationale: we are effectively mandating a requirement on implementations of other versions of the protocol. However, I agree with ekr. We have - I think - consensus to forbid compression more broadly than just in TLS 1.3. It's a foot gun. And I don't believe that the foot gun is unique to the web case. For example, if you don't believe that mail could contain attacker-controlled data and secrets, then you haven't thought hard enough about all the ways mail can be used. Similarly, insert protocol of choice. Of course it's definitely true that someone loaded and cocked the footgun for the web. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
