On 2/19/15 9:41 AM, Aaron Zauner wrote:
Hi,
Peter Saint-Andre - &yet wrote:
-- Section 3.3 --
Implementations and deployments SHOULD disable TLS-level compression
([RFC5246], Section 6.2.2).
Because it's not yet clear to me that all application protocols using
TLS or DTLS are subject to these compression-based attacks (at least, I
have not yet seen analysis of all the many such protocols), personally I
would hesitate at this time to say that all protocols MUST disable
TLS-level compression.
At this point it does not hurt to have it a MUST either, right? Are
there any serious implications for implementors or deployed applications
if we have TLS-compression as `MUST be disabled` in the document?
Personally I would like to hear from some of the communities using DTLS
before I would be comfortable with a MUST here.
Peter
--
Peter Saint-Andre
https://andyet.com/
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
