[Standards] XSF recommendation for TLS and compression
dave at cridland.net
Wed Nov 12 13:55:43 UTC 2014
On 12 November 2014 13:49, Kevin Smith <kevin.smith at isode.com> wrote:
> I’ve been asked if the XSF can issue a recommendation re: the use of
> compression and TLS. Ignoring for a moment what a vehicle for issuing such
> a recommendation might be, what would we recommend?
It's not clear to me we should be making an explicit recommendation - after
all the closest we can reasonably say to a definitive recommendation is
"you probably ought to think about whether you really need compression".
The subject of updating XEP-0138 to discuss the impact of compression-based
attacks on encryption, though, has come up before.
> My understanding is that we would recommend that compression is not used
> where it’s not necessary.
> Can it ever sensibly be used?
> If you had to choose one, which would it be?
I think the XSF should just describe the possible attacks, and any
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Standards