Re: Working Group Last Call: Digest Fields
Roberto Polli <robipolli@gmail.com> Mon, 13 December 2021 12:14 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0982A3A081F for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 13 Dec 2021 04:14:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.747
X-Spam-Level:
X-Spam-Status: No, score=-2.747 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9XNGZJwwV76L for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 13 Dec 2021 04:14:21 -0800 (PST)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E14FF3A081E for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 13 Dec 2021 04:14:20 -0800 (PST)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1mwkBA-0002DF-OF for ietf-http-wg-dist@listhub.w3.org; Mon, 13 Dec 2021 12:11:40 +0000
Resent-Date: Mon, 13 Dec 2021 12:11:40 +0000
Resent-Message-Id: <E1mwkBA-0002DF-OF@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <robipolli@gmail.com>) id 1mwkB9-0002CO-8h for ietf-http-wg@listhub.w3.org; Mon, 13 Dec 2021 12:11:39 +0000
Received: from mail-il1-x12b.google.com ([2607:f8b0:4864:20::12b]) by mimas.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <robipolli@gmail.com>) id 1mwkB6-0007kA-8n for ietf-http-wg@w3.org; Mon, 13 Dec 2021 12:11:39 +0000
Received: by mail-il1-x12b.google.com with SMTP id m12so1840522ild.0 for <ietf-http-wg@w3.org>; Mon, 13 Dec 2021 04:11:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=23QixJwshIxmtMCfuDyqukkKnoLNqSONnV3qNnHqYZI=; b=gACfmsW0WpRav7qTAo+fUuqs1qYt16rA+TDaxAGXwgD+MYgRyvTOc8kl9suqbEa1BM Y6C5ti0ZhIeZyAPTOKdO6NuvZ/U7n5Wgx4p82Jb4fEjU38OXgUepV1rKzx3U20WSGgsL E9j8dnW1siMVcrPSSUPzfaNzcM4TmblmesqHX6zyB77zGLoGQfsfUHUYkD7oRuH1zlTv LXGIXbiafg5L31j7GbB1E7ukG8Ue0BtXQfpLdiOWshLDED9gx1uPfUULV3j599XujEpt 71Q76drcCmIMHOEuer+/dxeen/Ut+tm+tmoFY0et5dTT9kIynnz/mrRh59fOW13pkbsN 9WHw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=23QixJwshIxmtMCfuDyqukkKnoLNqSONnV3qNnHqYZI=; b=LPrpvYdD39V62lZ8zSkgsNI8WAWp8csmCSmkEjxYtXMPP4Ol+Y9zWnu+uLa6Jiz59Q W85EvF0EvMTypQM6F4lu+Z4RYKlm9duLZpiesRAVU1Hqz2Qg8nbx1zmwvDnPwtbsg+Bf L6btQjixHC3QEVN+vgPKYilvFCVEjRfMH2/q+3qdpoBMCj9IKLVtWwdwGD2uqYZBKjuK G+vPUsHjQUDR3s33Sxjs4YFcnOoeyazi/KlxWwYLwacF7+TWDsesCPFppisbtffK6KAH HJL7eI9fr0Z1VjF85uZES3eu0fqt/p2AUx6qabSzPjG4+WGVAIFB1TjXkaPX5Zgv7ocr Y71g==
X-Gm-Message-State: AOAM530KC4O0SPl477hX1osAL3kyNd1FFU0DcsKvxvpxvZABJ9aVw9q5 U47XeOjMqkDpDzRwMB+C2J8ps8ao1225OUQ+XBI=
X-Google-Smtp-Source: ABdhPJzyWvH7GzSNnOcrsEs1d2i+k5XP5diuGyRcY/ww98QzJ73zINEoqk/DMzuKoomkOfb0b1V+oJCsSB7Ib6d6p/0=
X-Received: by 2002:a05:6e02:15c5:: with SMTP id q5mr29178351ilu.218.1639397485009; Mon, 13 Dec 2021 04:11:25 -0800 (PST)
MIME-Version: 1.0
References: <92CE4EFD-EB86-4FCA-8870-9704EEADA5C1@mnot.net> <CALGR9obGHyOJ3xuUqbVpj5L35V4jUWbT=OVCBr6SmZBMk+8Eng@mail.gmail.com> <517C1B4B-E8A2-40F3-89CE-8B991203E858@mit.edu> <CALGR9oaBkffxTTB62VPfL6XJy=aVe+TpdKW2oJKQNW9jZVE3VQ@mail.gmail.com>
In-Reply-To: <CALGR9oaBkffxTTB62VPfL6XJy=aVe+TpdKW2oJKQNW9jZVE3VQ@mail.gmail.com>
From: Roberto Polli <robipolli@gmail.com>
Date: Mon, 13 Dec 2021 13:11:14 +0100
Message-ID: <CAP9qbHVAndYQUfu4636S9naOyFzPw8oyZvPiXAw8y4YpHfh4ew@mail.gmail.com>
To: Lucas Pardue <lucaspardue.24.7@gmail.com>
Cc: Justin Richer <jricher@mit.edu>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="000000000000bd627b05d305f86e"
Received-SPF: pass client-ip=2607:f8b0:4864:20::12b; envelope-from=robipolli@gmail.com; helo=mail-il1-x12b.google.com
X-W3C-Hub-DKIM-Status: validation passed: (address=robipolli@gmail.com domain=gmail.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-5.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1mwkB6-0007kA-8n 6551b8b951568e0686549aac262bd431
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Working Group Last Call: Digest Fields
Archived-At: <https://www.w3.org/mid/CAP9qbHVAndYQUfu4636S9naOyFzPw8oyZvPiXAw8y4YpHfh4ew@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/39640
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Thanks Justin, this a very good and indeep revision! Thanks Justin for all the time that you spent in reviewing this document! I just reply to the issues not already addressed by Lucas, with which I agree. Il giorno sab 11 dic 2021 alle ore 04:16 Lucas Pardue < lucaspardue.24.7@gmail.com> ha scritto: >> It bothers me that the draft doesn't use structured fields, > I think if we want to pursue structured digests further, we should just admit that changing the world is hard and define new fields. I agree with Lucas. We tried to accommodate in many ways, but with no success :( > If requests need some special considerations that we do not cover, then I'm open to additions of that sort Agree, could you please file a PR on that? >> §1.3: it seems like this document is going for both semantic and syntactic compatibility of existing fields and definitions, right? The text currently says semantic only. > Agreed, see https://github.com/httpwg/http-extensions/issues/1840 Has PR > Maybe someone has a smart, salient way to describe representation and content in this draft in a way we don't already cover? iirc we were explicitly suggested to avoid invading the space of other specifications. I think we can't reasonably do more than https://www.ietf.org/archive/id/draft-ietf-httpbis-digest-headers-07.html#appendix-A-6 since this is also covered in SEMANTICS (eg. https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#partial.PUT) which is the ultimate source for that. >> §7: ... the Digest header in a request would actually be a digest of the **resource that is being requested**. >> Is that the intent? Because if so, that seems completely insane to me, and I wouldn't know how to process that, so I hope I'm wrong. I can't read that explicitly... Where do you read this behavior? >> My expectation with requests, including all state-changing requests, is that it's the message content of **the request itself** that is hashed for the digest. >> So if I do a POST, I digest the body and add the header. If I do a PUT, same deal. >> Like in the example, if I do a PATCH, I digest only the part that I send, not the "whole" thing that's being represented -- or is that only for Content-Digest? >> I'm honestly not sure. @Justin Richer this section is heavily dependent on: - https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-semantics-19#section-6.4 - https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-semantics-19#section-6.4.2 The point is that Digest, differently from Content-Digest, is associated to the resource and not to the content. For example, in cases described in https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#partial.PUT the request Digest should be computed on the completed, reconstructed representation and not on the request content. This will be useful to ensure that the server reconstructed the intended resource correctly and is consistent with implementations such as https://docs.microsoft.com/en-us/rest/api/storageservices/put-range and enable the server to know in advance if the final checksum is correct. >> But for GET, I would expect that Digest would not be allowed because there's no body to digest. imho it's legitimate to send a GET with a Digest/Content-Digest of an empty content. In RFC3230 there's nothing that forbids sending Digest with a specific method. >> §8: Additional security consideration: Bad encoding to break parsers. For example, sending bad base64 in an attempt to break or crash the parser, which is needed to validate the digest. > Interesting. Can I ask a bit more about the threat model you have in mind here? Do you have any examples of such attacks? I'm not opposed to addressing genuine concerns but I don't fully understand the scope of the problem in relation to Digest headers. To put it another way, what is it about Digest that makes header parsing failure worse than any other header field? >> §8.2: I don't see how this is a security consideration except for the last line, which is mostly punted to §8.3. >> Consider rewriting this portion to be about the actual security gap, and not a list of the spec's virtues and applications. Has PR >> This could probably be covered by §8.1 and §8.3 anyway, but if there's enough to say in its own section, then focus on what's different and discussed here. >> >> §8.3: Surprised not to see a reference to httpbis-message-signatures in here. :) >> >> §8.3: You SHOULD NOT use normative requirements in the security considerations. Has PR >> The first line needs to be its own security consideration referencing BCP19 for TLS usage, the second can go into §6 probably, with back and forward references. Has PR > ... Signatures should state how Digest is used, not the other way around... >> ...simply highlighting the limitations of digest (it doesn't cover HTTP fields) and then noting that there's a way to encode the digest of an empty representation that can be used by signature to protect from some types of manipulation. > There seems nothing unique in Digest that requires this property when compared to other HTTP fields. Has PR >> §8.5: The fact that you could digest an unencrypted payload then send it encrypted genuinely surprised me -- I would not have thought that possible within the content-encoding mechanisms of HTTP. I think this is going to be a combination that leads to many errors. Has PR See https://github.com/httpwg/http-extensions/issues/1839 > >> §8.6: This draft's algorithm agility effectively allows an attacker to choose and substitute the algorithm applied to the message, > Thanks. See https://github.com/httpwg/http-extensions/issues/1841 > >> >> §8.7: Structured field dictionaries disallow the same key in a dictionary, so couldn't we just say that repeating a key is simply an error? Already discussed. While I supported Justin view, It was decided not to change the current syntax. >> §XX: The document is missing privacy considerations. This RFC provides good guidelines for writing them: https://datatracker.ietf.org/doc/html/rfc6973 > Do you have any specific concerns for the fields defined in this document that you feel need to be addressed by privacy considerations? The last 7 RFCs that this group produced did not include a privacy considerations @Justin Richer <jricher@mit.edu> Feel free to propose. >> §9.2: Is normative text allowed in such a description here? > I don't think we can make an IANA table entry normative for anything :-) Tracked in https://github.com/httpwg/http-extensions/issues/1842 Good spot! >> §A: This section is missing examples of how the Digest and Content-Digest headers would be applied to each of these messages. >> I know that's also the goal of the next section, but it seems out of place separated from each other. >> I also realize that the entire point of having something like §A is because of people like me who still have problems wrapping their heads around this topic. :) > I'm 50/50 on this.... > A candidate PR might help the debate. See https://github.com/httpwg/http-extensions/issues/1843 > >> §B: ... neither of these are "resources" or "files" in the traditional HTTP or REST model. Mumble ..iirc in http, user-agents and origin servers exchange resource representations. > In appendix B.6 we show a client sending a JSON object and a server responding with a brotli encoded JSON. > ... From a cursory glance, it's just POST method and request and response content of JSON. Exactly Thanks again, R. > [1] - https://github.com/httpwg/http-extensions/issues/1671 > [2] - https://www.rfc-editor.org/rfc/rfc8941.html#name-byte-sequences > [3] - https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-semantics-19#section-14.2 > [4] - https://www.ietf.org/archive/id/draft-nottingham-http-structure-retrofit-00.html
- Working Group Last Call: Digest Fields Mark Nottingham
- Re: Working Group Last Call: Digest Fields Lucas Pardue
- Re: Working Group Last Call: Digest Fields Justin Richer
- Re: Working Group Last Call: Digest Fields Lucas Pardue
- Re: Working Group Last Call: Digest Fields Roberto Polli