On 12 November 2014 13:49, Kevin Smith <[email protected]> wrote:
> I’ve been asked if the XSF can issue a recommendation re: the use of > compression and TLS. Ignoring for a moment what a vehicle for issuing such > a recommendation might be, what would we recommend? > > It's not clear to me we should be making an explicit recommendation - after all the closest we can reasonably say to a definitive recommendation is "you probably ought to think about whether you really need compression". The subject of updating XEP-0138 to discuss the impact of compression-based attacks on encryption, though, has come up before. > My understanding is that we would recommend that compression is not used > where it’s not necessary. > Can it ever sensibly be used? > If you had to choose one, which would it be? > > I think the XSF should just describe the possible attacks, and any mitigations. Dave.
