Re: Publication has been requested for draft-ietf-httpbis-digest-headers-10
Lucas Pardue <lucaspardue.24.7@gmail.com> Fri, 24 February 2023 16:15 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACB14C151AE8 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 24 Feb 2023 08:15:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.05
X-Spam-Level:
X-Spam-Status: No, score=-5.05 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vi2OgMRO_1SR for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 24 Feb 2023 08:15:01 -0800 (PST)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9516DC151AE7 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 24 Feb 2023 08:15:01 -0800 (PST)
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1pVaiU-00Ahua-6c for ietf-http-wg-dist@listhub.w3.org; Fri, 24 Feb 2023 16:14:38 +0000
Resent-Date: Fri, 24 Feb 2023 16:14:38 +0000
Resent-Message-Id: <E1pVaiU-00Ahua-6c@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <lucaspardue.24.7@gmail.com>) id 1pVaiS-00Ahtc-5X for ietf-http-wg@listhub.w3.org; Fri, 24 Feb 2023 16:14:36 +0000
Received: from mail-oa1-x34.google.com ([2001:4860:4864:20::34]) by titan.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from <lucaspardue.24.7@gmail.com>) id 1pVaiP-002SL5-6P for ietf-http-wg@w3.org; Fri, 24 Feb 2023 16:14:36 +0000
Received: by mail-oa1-x34.google.com with SMTP id 586e51a60fabf-172afa7bee2so1570364fac.6 for <ietf-http-wg@w3.org>; Fri, 24 Feb 2023 08:14:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=9z0uxlrgsbjTsRBi9BDvIwdJ7erd0YdLcz0L+PHuRmg=; b=aysK90uXrx264qCj00lS5VbHc+XJ0TvcsS1hOi1ImPOjxmZN7iPeGg7LUTrMFWl27T aEcaB8903HraUyDjSOsTe35VsmKCxRAh+ZlASXACCA+SgRGPX/yBq0DxuWLjFKF2bVp6 Kx5H/yxpS4yWud70jU2/8avMnmD8zd2jwB2SrlCer6sc8WNO8/Zm7mTN26OX1Qc0r5Bu eg2vozRG7LVjOPD9A/bNo7Mkh6Z644pojsDUS/HdGAwxeUBb1ZGAajYh5/L2sDkr4FEY kcBguRJdURSZRkwvPRyt4dYZvB2Tyv+i2yMEyYdCPouTAJBNux5ISTgNzBac7HhmYnLC sCAQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=9z0uxlrgsbjTsRBi9BDvIwdJ7erd0YdLcz0L+PHuRmg=; b=04zYiKdHeuGGho1PEsPgd7DCo8mYKXwYrgQ0ZYHOF/+CrqaTH+G5MjZxYnEnYLO9fh p/GumqFlsX6+gZqMXbjdY2ThI8VwHNlJCit+do+Gs6G9XhivydPziwgMERZagCil0ihs zXW+tpgdbMlCa2+52RZK8ymXvmy2/rYkuXEvDcy7QCYayiI4FDsRuC9b1nsfzc5LkujV q2cCb4iUxIixX+Sd2zrtmQAc8MlIDA0yzOYgMxIp9G6cQmTmbbovgWTWCP0ACznxmGI3 Vjx+G7Tq4s67hotFv2+jZc0gTs/kzzYdfCgRcur/AcMEhH9eFA0NIS5mp3mpwac3PCsY /mfg==
X-Gm-Message-State: AO0yUKWlv6GXRKXFxQwh+Fly/mwFAsP8Xc5dFkLZTdKZeHf9RX27FsUb 1R7MNsJrv0Uq0Ia8jsH4rGO9iiolAQiKTq5mV232DrwiM4QqnA==
X-Google-Smtp-Source: AK7set/gXx0F+nUFu9jN2f9IXqKT8Kmf5RIzKwHc6utGSO11Oxq3rBqoOWEUtSfSbolprvv+flYOfsI/8TCH1CwGakk=
X-Received: by 2002:a05:6870:771a:b0:16d:d985:336a with SMTP id dw26-20020a056870771a00b0016dd985336amr1247315oab.5.1677255264266; Fri, 24 Feb 2023 08:14:24 -0800 (PST)
MIME-Version: 1.0
References: <165568314250.27214.12601666470763517171@ietfa.amsl.com> <CAL0qLwbs6nMrVX4QXprkP9Nv5DbRLN--_-ZfDDPf8CApO-YqvA@mail.gmail.com> <CALGR9oZ3k0g-WAuEGRvkjjAz+Uxyb5U8_41GR-zNCL-7cxQ05Q@mail.gmail.com> <CAL0qLwZgojJcVwAH1U69OnH3p3u_-Dfqydxoj6UgfL8L5v8FJA@mail.gmail.com> <CAP9qbHUGgL++9924K0DDz+r+F+yTRP+V9c7nS+2+6aQF2JUG=Q@mail.gmail.com> <ME3PR01MB5973AB6167E4FAA3C3620202E5019@ME3PR01MB5973.ausprd01.prod.outlook.com>
In-Reply-To: <ME3PR01MB5973AB6167E4FAA3C3620202E5019@ME3PR01MB5973.ausprd01.prod.outlook.com>
From: Lucas Pardue <lucaspardue.24.7@gmail.com>
Date: Fri, 24 Feb 2023 16:14:12 +0000
Message-ID: <CALGR9oaiszW00Oh3oB_QpsrgVH1Yt6CuAKrEwLnAwRrMZcpTcg@mail.gmail.com>
To: "Manger, James" <James.H.Manger@team.telstra.com>
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="0000000000003970f805f5746c5a"
Received-SPF: pass client-ip=2001:4860:4864:20::34; envelope-from=lucaspardue.24.7@gmail.com; helo=mail-oa1-x34.google.com
X-W3C-Hub-DKIM-Status: validation passed: (address=lucaspardue.24.7@gmail.com domain=gmail.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-4.8
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1pVaiP-002SL5-6P 33152dcf740273018c7150162bb15919
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Publication has been requested for draft-ietf-httpbis-digest-headers-10
Archived-At: <https://www.w3.org/mid/CALGR9oaiszW00Oh3oB_QpsrgVH1Yt6CuAKrEwLnAwRrMZcpTcg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/50743
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hi James, Thanks for the comments. Apologies for the holdup in responding directly, see in-line responses,we opened up GitHub issues for some of them and links are provided. On Thu, Nov 10, 2022 at 8:08 AM Manger, James < James.H.Manger@team.telstra.com> wrote: > Comments on draft-ietf-httpbis-digest-headers-10 > > > > 1. > > Typo in “2. The Content-Digest Field”: 2nd example should be > Content-Digest, not Repr-Digest. > > Fixed. > > > 2. > > In “6.5 Usage with Encryption” it isn’t clear what layer of encryption is > assumed (representation, content). I guess it is assuming a > Content-Encoding that encrypts, such as “Content-Encoding: aes128gcm” from > RFC 8188. And the security consideration is pointing out that if the > encryption is performed multiple times to respond to multiple HTTP requests > then the ciphertext (& hence Content-Digest & Repr-Digest) is likely to > change each time, as each encryption (of the same plaintext) is likely to > use a different nonce and/or key. > > > > This issue could occur without encryption. For instance, compression > algorithms often have different “levels” (eg 1=fast, 9=best). So the > representation could change if the level changed between requests. Maybe > that will be rare enough to ignore? > > > > I thought “6.5 Usage with Encryption” might be warning against including a > digest of the plaintext if encryption was applied as, say, a > transfer-encoding (not sure if there are encrypting transfer-encodings). > That would be insecure. > See https://github.com/httpwg/http-extensions/issues/2384 > > 3. > > There are no examples of any of the 6 “insecure” algorithms that are still > listed in the table. This is particularly important as checksums were > conveyed in decimal and hex in Digest, but will now be base64-encoded in > Content-Digest & Repr-Digest. Do you base64-encode the decimal digits from, > say, cksum; or base64-encode the 32-bits (most significant byte first?) > they represent? > See https://github.com/httpwg/http-extensions/issues/2385 > > 4. > > “/entries/1234” is used in appendix A while “/items/123” is used in > appendix B, even though they seem to be for the same resources (without & > with …-Digest headers). > See https://github.com/httpwg/http-extensions/issues/2386 > > 5. > > Base64-encoding non-printable bodies so they can be included in the > document is unfortunate. Particularly as there are lots of “real” base64 > values (ie all the …-Digest values). Perhaps hex would have been better to > display bodies. > > > > If sticking with base64 to display bodies, the “Range: bytes=1-7/18” > examples would be better as “Range: bytes=3-10/18”. That way you can > visually recognize that the range (“AItWyFwC/6s=”) is a subset of the > original (“H4sIAItWyFwC/6tW…”). > See https://github.com/httpwg/http-extensions/issues/2387 > > 6. > > No newlines are included at the end of the JSON bodies, though that is > never mentioned. “Content-Length: 18” on the first {"hello": "world"} > example could indicate that. Not including newlines is okay for 1-line JSON > values (even though they have extraneous spaces so they aren’t “compact” > JSON). No final newline on the multi-line JSON examples is a bit nasty. > See https://github.com/httpwg/http-extensions/issues/2388 > > 7. > > Can 2 algorithms have the same preference? For example: > Want-Repr-Digest: sha-512=5, sha-256=5, unixsum=0 > See https://github.com/httpwg/http-extensions/issues/2389 Cheers Lucas
- Publication has been requested for draft-ietf-htt… Mark Nottingham via Datatracker
- Re: Publication has been requested for draft-ietf… Murray S. Kucherawy
- Re: Publication has been requested for draft-ietf… Lucas Pardue
- Re: Publication has been requested for draft-ietf… Murray S. Kucherawy
- Re: Publication has been requested for draft-ietf… Roberto Polli
- Re: Publication has been requested for draft-ietf… Manger, James
- Re: Publication has been requested for draft-ietf… Julian Reschke
- Re: Publication has been requested for draft-ietf… Lucas Pardue