Re: Publication has been requested for draft-ietf-httpbis-digest-headers-10

Julian Reschke <julian.reschke@gmx.de> Thu, 10 November 2022 08:17 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB05FC14CE3D for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 10 Nov 2022 00:17:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.06
X-Spam-Level:
X-Spam-Status: No, score=-5.06 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmx.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id emMxdCcIBd4b for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 10 Nov 2022 00:16:58 -0800 (PST)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9060AC15258F for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 10 Nov 2022 00:16:57 -0800 (PST)
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1ot2hT-00FG0x-7O for ietf-http-wg-dist@listhub.w3.org; Thu, 10 Nov 2022 08:14:15 +0000
Resent-Date: Thu, 10 Nov 2022 08:14:15 +0000
Resent-Message-Id: <E1ot2hT-00FG0x-7O@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <julian.reschke@gmx.de>) id 1ot2hS-00FFzy-7q for ietf-http-wg@listhub.w3.org; Thu, 10 Nov 2022 08:14:14 +0000
Received: from mout.gmx.net ([212.227.17.22]) by titan.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <julian.reschke@gmx.de>) id 1ot2hQ-009Dne-Lg for ietf-http-wg@w3.org; Thu, 10 Nov 2022 08:14:13 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.de; s=s31663417; t=1668068039; bh=6ZjePKyVPcXZ3JdbuMuvoCRSXXjKmfFEJz2cwWr0WIk=; h=X-UI-Sender-Class:Date:Subject:To:References:From:In-Reply-To; b=ZXTazBqtrklpalqc0hbtMnezcLKN9ntx2AQ5wbiUwB6FRUARwgBWnomTEsL+x4SSx YyU2KQgBm7RgqLhqq+dyMMwiH76JwDXSMongZvuF2kZ//5P/Bj8iixfPa5dImNU4HV nhyqv1mRJeXdE29iQm6i6ppCNRhXqXePYRPABDnqYSoGuKl+koxy9bxI084sK4aLT+ /f3Vr8fMfuyUl2tS/UTRvxFwlp6M9MyW7RqQBjC07W4Dnv/ZzNcTpKcKeakYvQ9dH3 AYjD2tV8kWAskSU+OkjJfKxnT4zCqOStDbD8lsvqN6uipztNFxQ92KP0oyIt4rCR6d byfuub0O0ezSg==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from [192.168.178.20] ([91.61.61.180]) by mail.gmx.net (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1Ma24y-1oVxul0ITc-00W1Jc for <ietf-http-wg@w3.org>; Thu, 10 Nov 2022 09:13:59 +0100
Message-ID: <45ae6452-50a1-b41e-9292-9a9bee60384c@gmx.de>
Date: Thu, 10 Nov 2022 09:13:57 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.4.2
Content-Language: en-US
To: ietf-http-wg@w3.org
References: <165568314250.27214.12601666470763517171@ietfa.amsl.com> <CAL0qLwbs6nMrVX4QXprkP9Nv5DbRLN--_-ZfDDPf8CApO-YqvA@mail.gmail.com> <CALGR9oZ3k0g-WAuEGRvkjjAz+Uxyb5U8_41GR-zNCL-7cxQ05Q@mail.gmail.com> <CAL0qLwZgojJcVwAH1U69OnH3p3u_-Dfqydxoj6UgfL8L5v8FJA@mail.gmail.com> <CAP9qbHUGgL++9924K0DDz+r+F+yTRP+V9c7nS+2+6aQF2JUG=Q@mail.gmail.com> <ME3PR01MB5973AB6167E4FAA3C3620202E5019@ME3PR01MB5973.ausprd01.prod.outlook.com>
From: Julian Reschke <julian.reschke@gmx.de>
In-Reply-To: <ME3PR01MB5973AB6167E4FAA3C3620202E5019@ME3PR01MB5973.ausprd01.prod.outlook.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:Ttkt4FHrAolhBjRfIYLiQu97cRkoDdYVp2y0eT7WEr03uy3DDOu x+hZiqryFj+GWPVYNdXz4jfR73sAKK/hUKG7lj95PlagGM6wBQyCwbZmCZE3VoBgxuEZnsr mVX5rNoYgwMvGRB378loXCrIdBlvBPkpLrSHUnxc2a2kYlD+C/8/LB2t0ovfLxxDaDzuzKE K89D10IJF66mk9QdlUUyQ==
UI-OutboundReport: notjunk:1;M01:P0:LHkuuNuDd6A=;1H51kJ7/dykG+YgCKF37WT43kFt rdCD7Nh7jWxea12svS4T/oNbyz0afD/4Rs1nb4k0ZtrWkjBibu+sng3ULIfg2PMdMhMg6lIEh stpw2MUOr4/RkAXy4KgoztGO3GvSI1fMAGM4hJxf4FGzaJeakQy8VNbXwnd9lDhomPxRqq0F/ /kcZ6DQ5CKU3Oq2NNtnNr76irwSyr4jclM+YKsbgwGhzyxhVmpH0Kx4HmpcMzzTx3F596YGxh 79wSwbOX0v9Gc1D6YmQIpUfyHph3G9OHfBp1zNWS02TTEVR5cF1BxLp9jibM5zIheIY/VxcAE 5qhHIJfAcnO2gpFaOhjiBCJ07Uc8zH3p1XdfLZ8AcAdV7Y6uOOa+u6i/bDCnzjCtlPwKORISs TJoQY0w1eet34DFJ/LR5YGTQrcwP7diwJFD5x7WaocQmTGHG7WMOF/KvtC5iOSGT1C9Oz5Qza L0lcqeOgapxzxfN3Zy/wXL2VR4zNTtiDQSJ0ujKeaGg9gXZ8wbyeDu9+IrJ3F4xNsPOcTBKwS QKZJOeYpUE5F//yxUfNI+YT+khY7k+YXKOFALzH+ZEJlHwFsCicLmVSM2E+cQOcBnPKubA73O FAmhGTlaaskgVkt8oDd15SrlkXFdi3z0v6inFYur03q91cC77VxlmwRDjdncfcI1UecpkZZVv u+BV5/oNZ0hZPNiT1T82bLs6vHyWwDIBZPLWm9OuWAhhrOwSiUuEQtboXoc2OGVy6dwLDeJI+ 7uT99RBsdaX3IlokXxPupXLTPUGF1TXTjFFdICrRLoAdbkV7lnczTGCtYLgWg1yHTozP2ed1i N90SZq4fiZfExPVzluHHVT7z4nmBAJNkFzLY5hOrSewJOFJKm6KE/GRZiRhu/k0zca6SU4ndf bKmPKu852CQarNpv0A/Qnady9Yg8Wj1hPrv/EQGT+F3uLCR9co1vALKcYEAnAjiGAiZ+amTz9 Zs+nzw==
Received-SPF: pass client-ip=212.227.17.22; envelope-from=julian.reschke@gmx.de; helo=mout.gmx.net
X-W3C-Hub-DKIM-Status: validation passed: (address=julian.reschke@gmx.de domain=gmx.de), signature is good
X-W3C-Hub-Spam-Status: No, score=-5.8
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1ot2hQ-009Dne-Lg d93450548f92314e871cda9784baa1bf
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Publication has been requested for draft-ietf-httpbis-digest-headers-10
Archived-At: <https://www.w3.org/mid/45ae6452-50a1-b41e-9292-9a9bee60384c@gmx.de>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/40555
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 10.11.2022 09:06, Manger, James wrote:
> Comments on draft-ietf-httpbis-digest-headers-10
>
> 1.
>
> Typo in “2. The Content-Digest Field”: 2^nd example should be
> Content-Digest, not Repr-Digest.
>
> 2.
>
> In “6.5 Usage with Encryption” it isn’t clear what layer of encryption
> is assumed (representation, content). I guess it is assuming a
> Content-Encoding that encrypts, such as “Content-Encoding: aes128gcm”
> from RFC 8188. And the security consideration is pointing out that if
> the encryption is performed multiple times to respond to multiple HTTP
> requests then the ciphertext (& hence Content-Digest & Repr-Digest) is
> likely to change each time, as each encryption (of the same plaintext)
> is likely to use a different nonce and/or key.
>
> This issue could occur without encryption. For instance, compression
> algorithms often have different “levels” (eg 1=fast, 9=best). So the
> representation could change if the level changed between requests. Maybe
> that will be rare enough to ignore?
>
> I thought “6.5 Usage with Encryption” might be warning against including
> a digest of the plaintext if encryption was applied as, say, a
> transfer-encoding (not sure if there are encrypting transfer-encodings).
> That would be insecure.
>
> 3.
>
> There are no examples of any of the 6 “insecure” algorithms that are
> still listed in the table. This is particularly important as checksums
> were conveyed in decimal and hex in Digest, but will now be
> base64-encoded in Content-Digest & Repr-Digest. Do you base64-encode the
> decimal digits from, say, cksum; or base64-encode the 32-bits (most
> significant byte first?) they represent?
>
> 4.
>
> “/entries/1234” is used in appendix A while “/items/123” is used in
> appendix B, even though they seem to be for the same resources (without
> & with …-Digest headers).
>
> 5.
>
> Base64-encoding non-printable bodies so they can be included in the
> document is unfortunate. Particularly as there are lots of “real” base64
> values (ie all the …-Digest values). Perhaps hex would have been better
> to display bodies.
> ...

FWIW, I'm planning to define a "hexdump" Content-Encoding, solely for
the use in spec examples. But that wouldn't help here, due to
publication timing.

Best regards, Julian