SECDIR review of draft-ietf-httpbis-compression-dictionary-09

Reviewer: Nancy Cam-Winget


I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.


This document defines HTTP headers that can be used for negotiating
for enabling compression by using dictionaries.  The negotiation
defines an external dictionary that provides the mapping or patterns
to decode when compression is enabled.  The document leverages the use
of Brotli (RFC7932) and Standard (RFC8878) as the compression schemes.


The document reads well and I have found no issues but have
One minor question:

Section 2.2
* Is the intent of providing the hash of the "Available-Dictionary"
meant to be for protection or for compression? 

Section 9.1
* To my point in Section 2.2, we presume that all headers are
encrypted and protected, so I think it would depend on what protection
is being achieved. That is, I think it should be stated that if the
header protection is found to be weak, this can be made vulnerable too
(I think this is somewhat covered in 9.2 maybe?)