Hi John > On 05 May 2016, at 21:17, John Levine <[email protected]> wrote: > >> Well. Depending on the channel we use for feedback, DEFLATE might be a poor >> option: > > Well, yes, but anything can have security bugs, and I expect that the > libraries for gzip which have been around for a decade have been > audited a lot better than the ones for CBOR on which the paint is > still wet.
CBOR was just an idea and what I found when searching for binary-JSON-like
specs available in IETF. In general I'm fine with JSON. Just thinking about the
"future work" section of draft-brotman-smtp-tlsrpt-00 and how we may make use
of it in Let's Encrypt in the future as explained initially.
> People have beens mailing around vast numbers of DMARC reports, most
> of which have an application/gzip body. If there have been attacks
> using DEFLATE bugs, nobody's gotten around to reporting them.
I'm not much worried about attacks on DEFLATE and SMTP traffic. But as I
understand from the draft, there's also an option to report back via HTTPS.
Here DEFLATE may become a security issue.
draft-brotman-smtp-tlsrpt-00 currently supports two feedback channels ('rua' in
Section 3): "mailto" and "https".
> Perhaps it would be helpful to explain why it would be a good idea to
> invent something new rather than adapt a an existing design that works
> well in practice.
That's the point: I don't want to invent something new here. I'm interested in
suggestions, that message wasn't supposed to sound like "we have to change this
now to CBOR!".
Aaron
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
