On 2/19/15 4:10 PM, Ralph Holz wrote:
Hi,>> Implementations and deployments SHOULD disable TLS-level compression >> ([RFC5246], Section 6.2.2). > > Because it's not yet clear to me that all application protocols using > TLS or DTLS are subject to these compression-based attacks (at least, I > have not yet seen analysis of all the many such protocols), personally I > would hesitate at this time to say that all protocols MUST disable > TLS-level compression. > At this point it does not hurt to have it a MUST either, right? Are there any serious implications for implementors or deployed applications if we have TLS-compression as `MUST be disabled` in the document? +1 - I never felt comfortable with compression being decided by the underlying layer and not the application itself.
The thing is, I don't think we know. What about, say CoAP or SRTP or DCCP over DTLS? Do we really have enough information at this moment to say that *all* application protocols using TLS or DTLS must not use compression? In the absence of a complete survey, I'd still lean toward a (strong) should.
Peter _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
