On 01/23/2015 01:21 PM, Stephen Farrell wrote:
On 23/01/15 02:12, Martin Thomson wrote:
I definitely want to avoid making prescriptive statements about what to
protect, even couched as suggestions. However, I think that a more generic
statement that describes the characteristics of a header that might need
protection is definitely a good idea.
If Herve doesn't get there first, I can purpose text that concentrates on
the coincidence of secret and small/easy-to-guess..
Yep, that'd be a good addition I'd say, so long as you
couch those characteristics as being the ones we know
about today that contraindicate compression. Who knows
what new attacks folks might find in future now that
attention has been drawn to this.
Cheers,
S.
I made a proposal at https://github.com/http2/http2-spec/pull/704
Hervé.
On Jan 22, 2015 3:17 PM, "Jari Arkko" <jari.arkko@xxxxxxxxx> wrote:
Thanks for the response. I think this may slightly enhance the feeling
that the list may not be needed.
Jari