[Standards] XSF recommendation for TLS and compression
Peter Saint-Andre - &yet
peter at andyet.net
Thu Nov 13 01:13:41 UTC 2014
On 11/12/14, 6:55 AM, Dave Cridland wrote:
> On 12 November 2014 13:49, Kevin Smith <kevin.smith at isode.com
> <mailto:kevin.smith at isode.com>> wrote:
> I’ve been asked if the XSF can issue a recommendation re: the use of
> compression and TLS. Ignoring for a moment what a vehicle for
> issuing such a recommendation might be, what would we recommend?
> It's not clear to me we should be making an explicit recommendation -
> after all the closest we can reasonably say to a definitive
> recommendation is "you probably ought to think about whether you really
> need compression".
> The subject of updating XEP-0138 to discuss the impact of
> compression-based attacks on encryption, though, has come up before.
> My understanding is that we would recommend that compression is not
> used where it’s not necessary.
> Can it ever sensibly be used?
> If you had to choose one, which would it be?
> I think the XSF should just describe the possible attacks, and any
That at least is a good first step. We might want to do more afterward,
though (depending on how serious we think the attacks are).
More information about the Standards