Oops, send from the wrong email address.
-------- Forwarded Message --------
Subject: Re: [Uta] Barry Leiba's Discuss on draft-ietf-uta-tls-bcp-09:
(with DISCUSS and COMMENT)
Date: Thu, 19 Feb 2015 18:07:07 -0700
From: Peter Saint-Andre <stpe...@stpeter.im>
To: Ralph Holz <ralph.i...@gmail.com>, Aaron Zauner <a...@azet.org>
CC: Peter Saint-Andre - &yet <pe...@andyet.net>, uta@ietf.org
<uta@ietf.org>, Barry Leiba <barryle...@computer.org>, The IESG
<i...@ietf.org>
On 2/19/15 4:10 PM, Ralph Holz wrote:
Hi,
>> Implementations and deployments SHOULD disable TLS-level compression
>> ([RFC5246], Section 6.2.2).
>
> Because it's not yet clear to me that all application protocols using
> TLS or DTLS are subject to these compression-based attacks (at least, I
> have not yet seen analysis of all the many such protocols), personally I
> would hesitate at this time to say that all protocols MUST disable
> TLS-level compression.
>
At this point it does not hurt to have it a MUST either, right? Are
there any serious implications for implementors or deployed applications
if we have TLS-compression as `MUST be disabled` in the document?
+1 - I never felt comfortable with compression being decided by the
underlying layer and not the application itself.
The thing is, I don't think we know. What about, say CoAP or SRTP or
DCCP over DTLS? Do we really have enough information at this moment to
say that *all* application protocols using TLS or DTLS must not use
compression? In the absence of a complete survey, I'd still lean toward
a (strong) should.
Peter
--
Peter Saint-Andre
https://andyet.com/
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
