[Standards] XSF recommendation for TLS and compression

Dave Cridland dave at cridland.net
Wed Nov 12 13:55:43 UTC 2014


On 12 November 2014 13:49, Kevin Smith <kevin.smith at isode.com> wrote:

> I’ve been asked if the XSF can issue a recommendation re: the use of
> compression and TLS. Ignoring for a moment what a vehicle for issuing such
> a recommendation might be, what would we recommend?
>
>
It's not clear to me we should be making an explicit recommendation - after
all the closest we can reasonably say to a definitive recommendation is
"you probably ought to think about whether you really need compression".

The subject of updating XEP-0138 to discuss the impact of compression-based
attacks on encryption, though, has come up before.


> My understanding is that we would recommend that compression is not used
> where it’s not necessary.
> Can it ever sensibly be used?
> If you had to choose one, which would it be?
>
>
I think the XSF should just describe the possible attacks, and any
mitigations.

Dave.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/standards/attachments/20141112/e2310bc1/attachment.html>


More information about the Standards mailing list