Skip to main content

Last Call Review of draft-ietf-httpbis-zstd-window-size-01
review-ietf-httpbis-zstd-window-size-01-secdir-lc-hollebeek-2024-07-30-00

Request Review of draft-ietf-httpbis-zstd-window-size
Requested revision No specific revision (document currently at 03)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2024-08-06
Requested 2024-07-23
Authors Nidhi Jaju , W. Felix P. Handte
I-D last updated 2024-07-30
Completed reviews Artart Last Call review of -01 by Barry Leiba (diff)
Genart Last Call review of -01 by Vijay K. Gurbani (diff)
Secdir Last Call review of -01 by Tim Hollebeek (diff)
Opsdir Last Call review of -01 by Dan Romascanu (diff)
Assignment Reviewer Tim Hollebeek
State Completed
Request Last Call review on draft-ietf-httpbis-zstd-window-size by Security Area Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/secdir/OiIkUuMmB2D2xXrYUaMp20xrz54
Reviewed revision 01 (document currently at 03)
Result Ready
Completed 2024-07-30
review-ietf-httpbis-zstd-window-size-01-secdir-lc-hollebeek-2024-07-30-00
This is rather unimportant, but I just wanted to mention it in case the authors
find it useful.  Feel free to ignore.

The document states that there are no new security considerations, but that's
perhaps not quite true. I think it might be useful to call out that an
implementation cannot rely on its peer behaving correctly, so implementers will
have to take into account they may still receive oversized frames from
misbehaving clients. This is arguably no different from the situation today, so
it can be argued that the current considerations are accurate.

I just thought it might be useful to call it out so some engineer doesn't
remove validation checks since the other side is supposed to behave now. Just
because we have standards, doesn't mean that everyone complies.