Re: Publication has been requested for draft-ietf-httpbis-digest-headers-10

Lucas Pardue <lucaspardue.24.7@gmail.com> Fri, 24 February 2023 16:15 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACB14C151AE8 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 24 Feb 2023 08:15:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.05
X-Spam-Level:
X-Spam-Status: No, score=-5.05 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vi2OgMRO_1SR for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 24 Feb 2023 08:15:01 -0800 (PST)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9516DC151AE7 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 24 Feb 2023 08:15:01 -0800 (PST)
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1pVaiU-00Ahua-6c for ietf-http-wg-dist@listhub.w3.org; Fri, 24 Feb 2023 16:14:38 +0000
Resent-Date: Fri, 24 Feb 2023 16:14:38 +0000
Resent-Message-Id: <E1pVaiU-00Ahua-6c@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <lucaspardue.24.7@gmail.com>) id 1pVaiS-00Ahtc-5X for ietf-http-wg@listhub.w3.org; Fri, 24 Feb 2023 16:14:36 +0000
Received: from mail-oa1-x34.google.com ([2001:4860:4864:20::34]) by titan.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from <lucaspardue.24.7@gmail.com>) id 1pVaiP-002SL5-6P for ietf-http-wg@w3.org; Fri, 24 Feb 2023 16:14:36 +0000
Received: by mail-oa1-x34.google.com with SMTP id 586e51a60fabf-172afa7bee2so1570364fac.6 for <ietf-http-wg@w3.org>; Fri, 24 Feb 2023 08:14:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=9z0uxlrgsbjTsRBi9BDvIwdJ7erd0YdLcz0L+PHuRmg=; b=aysK90uXrx264qCj00lS5VbHc+XJ0TvcsS1hOi1ImPOjxmZN7iPeGg7LUTrMFWl27T aEcaB8903HraUyDjSOsTe35VsmKCxRAh+ZlASXACCA+SgRGPX/yBq0DxuWLjFKF2bVp6 Kx5H/yxpS4yWud70jU2/8avMnmD8zd2jwB2SrlCer6sc8WNO8/Zm7mTN26OX1Qc0r5Bu eg2vozRG7LVjOPD9A/bNo7Mkh6Z644pojsDUS/HdGAwxeUBb1ZGAajYh5/L2sDkr4FEY kcBguRJdURSZRkwvPRyt4dYZvB2Tyv+i2yMEyYdCPouTAJBNux5ISTgNzBac7HhmYnLC sCAQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=9z0uxlrgsbjTsRBi9BDvIwdJ7erd0YdLcz0L+PHuRmg=; b=04zYiKdHeuGGho1PEsPgd7DCo8mYKXwYrgQ0ZYHOF/+CrqaTH+G5MjZxYnEnYLO9fh p/GumqFlsX6+gZqMXbjdY2ThI8VwHNlJCit+do+Gs6G9XhivydPziwgMERZagCil0ihs zXW+tpgdbMlCa2+52RZK8ymXvmy2/rYkuXEvDcy7QCYayiI4FDsRuC9b1nsfzc5LkujV q2cCb4iUxIixX+Sd2zrtmQAc8MlIDA0yzOYgMxIp9G6cQmTmbbovgWTWCP0ACznxmGI3 Vjx+G7Tq4s67hotFv2+jZc0gTs/kzzYdfCgRcur/AcMEhH9eFA0NIS5mp3mpwac3PCsY /mfg==
X-Gm-Message-State: AO0yUKWlv6GXRKXFxQwh+Fly/mwFAsP8Xc5dFkLZTdKZeHf9RX27FsUb 1R7MNsJrv0Uq0Ia8jsH4rGO9iiolAQiKTq5mV232DrwiM4QqnA==
X-Google-Smtp-Source: AK7set/gXx0F+nUFu9jN2f9IXqKT8Kmf5RIzKwHc6utGSO11Oxq3rBqoOWEUtSfSbolprvv+flYOfsI/8TCH1CwGakk=
X-Received: by 2002:a05:6870:771a:b0:16d:d985:336a with SMTP id dw26-20020a056870771a00b0016dd985336amr1247315oab.5.1677255264266; Fri, 24 Feb 2023 08:14:24 -0800 (PST)
MIME-Version: 1.0
References: <165568314250.27214.12601666470763517171@ietfa.amsl.com> <CAL0qLwbs6nMrVX4QXprkP9Nv5DbRLN--_-ZfDDPf8CApO-YqvA@mail.gmail.com> <CALGR9oZ3k0g-WAuEGRvkjjAz+Uxyb5U8_41GR-zNCL-7cxQ05Q@mail.gmail.com> <CAL0qLwZgojJcVwAH1U69OnH3p3u_-Dfqydxoj6UgfL8L5v8FJA@mail.gmail.com> <CAP9qbHUGgL++9924K0DDz+r+F+yTRP+V9c7nS+2+6aQF2JUG=Q@mail.gmail.com> <ME3PR01MB5973AB6167E4FAA3C3620202E5019@ME3PR01MB5973.ausprd01.prod.outlook.com>
In-Reply-To: <ME3PR01MB5973AB6167E4FAA3C3620202E5019@ME3PR01MB5973.ausprd01.prod.outlook.com>
From: Lucas Pardue <lucaspardue.24.7@gmail.com>
Date: Fri, 24 Feb 2023 16:14:12 +0000
Message-ID: <CALGR9oaiszW00Oh3oB_QpsrgVH1Yt6CuAKrEwLnAwRrMZcpTcg@mail.gmail.com>
To: "Manger, James" <James.H.Manger@team.telstra.com>
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="0000000000003970f805f5746c5a"
Received-SPF: pass client-ip=2001:4860:4864:20::34; envelope-from=lucaspardue.24.7@gmail.com; helo=mail-oa1-x34.google.com
X-W3C-Hub-DKIM-Status: validation passed: (address=lucaspardue.24.7@gmail.com domain=gmail.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-4.8
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1pVaiP-002SL5-6P 33152dcf740273018c7150162bb15919
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Publication has been requested for draft-ietf-httpbis-digest-headers-10
Archived-At: <https://www.w3.org/mid/CALGR9oaiszW00Oh3oB_QpsrgVH1Yt6CuAKrEwLnAwRrMZcpTcg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/50743
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Hi James,

Thanks for the comments. Apologies for the holdup in responding directly,
see in-line responses,we opened up GitHub issues for some of them and links
are provided.


On Thu, Nov 10, 2022 at 8:08 AM Manger, James <
James.H.Manger@team.telstra.com> wrote:

> Comments on draft-ietf-httpbis-digest-headers-10
>
>
>
> 1.
>
> Typo in “2. The Content-Digest Field”: 2nd example should be
> Content-Digest, not Repr-Digest.
>
>
Fixed.

>
>
> 2.
>
> In “6.5 Usage with Encryption” it isn’t clear what layer of encryption is
> assumed (representation, content). I guess it is assuming a
> Content-Encoding that encrypts, such as “Content-Encoding: aes128gcm” from
> RFC 8188. And the security consideration is pointing out that if the
> encryption is performed multiple times to respond to multiple HTTP requests
> then the ciphertext (& hence Content-Digest & Repr-Digest) is likely to
> change each time, as each encryption (of the same plaintext) is likely to
> use a different nonce and/or key.
>
>
>
> This issue could occur without encryption. For instance, compression
> algorithms often have different “levels” (eg 1=fast, 9=best). So the
> representation could change if the level changed between requests. Maybe
> that will be rare enough to ignore?
>
>
>
> I thought “6.5 Usage with Encryption” might be warning against including a
> digest of the plaintext if encryption was applied as, say, a
> transfer-encoding (not sure if there are encrypting transfer-encodings).
> That would be insecure.
>

See https://github.com/httpwg/http-extensions/issues/2384


>
> 3.
>
> There are no examples of any of the 6 “insecure” algorithms that are still
> listed in the table. This is particularly important as checksums were
> conveyed in decimal and hex in Digest, but will now be base64-encoded in
> Content-Digest & Repr-Digest. Do you base64-encode the decimal digits from,
> say, cksum; or base64-encode the 32-bits (most significant byte first?)
> they represent?
>

See https://github.com/httpwg/http-extensions/issues/2385


>
> 4.
>
> “/entries/1234” is used in appendix A while “/items/123” is used in
> appendix B, even though they seem to be for the same resources (without &
> with …-Digest headers).
>

See https://github.com/httpwg/http-extensions/issues/2386


>
> 5.
>
> Base64-encoding non-printable bodies so they can be included in the
> document is unfortunate. Particularly as there are lots of “real” base64
> values (ie all the …-Digest values). Perhaps hex would have been better to
> display bodies.
>
>
>
> If sticking with base64 to display bodies, the “Range: bytes=1-7/18”
> examples would be better as “Range: bytes=3-10/18”. That way you can
> visually recognize that the range (“AItWyFwC/6s=”) is a subset of the
> original (“H4sIAItWyFwC/6tW…”).
>

See https://github.com/httpwg/http-extensions/issues/2387


>
> 6.
>
> No newlines are included at the end of the JSON bodies, though that is
> never mentioned. “Content-Length: 18” on the first {"hello": "world"}
> example could indicate that. Not including newlines is okay for 1-line JSON
> values (even though they have extraneous spaces so they aren’t “compact”
> JSON). No final newline on the multi-line JSON examples is a bit nasty.
>

See https://github.com/httpwg/http-extensions/issues/2388


>
> 7.
>
> Can 2 algorithms have the same preference? For example:
> Want-Repr-Digest: sha-512=5, sha-256=5, unixsum=0
>

See https://github.com/httpwg/http-extensions/issues/2389

Cheers
Lucas