-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 23/01/15 15:35, Jari Arkko wrote: > >> I made a proposal at >> https://github.com/http2/http2-spec/pull/704 > > Looked reasonable to me. Me too. Quibbling, I'd suggest: OLD: The decision on whether a header field is sensitive or not is highly dependent on the context. As a generic guidance, header fields used for conveying highly valued information, such as the Authorization or Cookie header fields, can be considered to be on the more sensitive side. In addition, a header field with a short value has potentially a smaller entropy and can be more at risk. NEW: The decision on whether a header field is ok to compress or not is highly dependent on the context. As a generic guidance, header fields used for conveying highly valued information, such as the Authorization or Cookie header fields, can be considered to be on the more sensitive side. In addition, a header field with a short value has potentially a smaller entropy and can be more at risk. We know that compressing low-entropy sensitive header fields can create vulnerabilities so such cases are most likely the ones to not compress today. Note though that the criteria to apply here may evolve over time as we gain knowledge of new attacks. Cheers, S. > > jari > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJUwmyOAAoJEC88hzaAX42iJKkIAJtbLdBsQe12+yyg47yupU9x xbJJ8WZj7vN9Owc9DbzPUczcejjxPUETWwiJ4gzGEnqOTgkH4Ljbt3DnZO1OrdwL J5sdie+/x85WuimEgz8GLeOvHe3vyKAJzRIGuX4c4PFgxQ2EBQTJwMM9/qBx9Wp4 gLNSMmvd0DT8mfozQokju4H4SsxEgFWIERpDO1Has/3ska0u0qhCrJgIdSSWWn08 yvsjoPDfp+SPEJOa+vWoWqP971QXaGsm5lnhPDLTJ+u06cWpzeQerOEmS3dMYX4A 0gcR73olUgS9gqVQ/HIYDKLxsOX3DXH0QSJhHOgYrE6GNPUX2bz7npN0PP7+x0s= =Txbn -----END PGP SIGNATURE-----