Re: 'PUT' transaction reconsidered (was Re: two-phase send concerns ) from Roger Gonzalez on 1995-12-28 (ietf-http-wg@w3.org from October to December 1995)

From: Roger Gonzalez <rg@caffeine.server.net>
Date: Thu, 28 Dec 1995 17:09:39 -0500
To: mogul@pa.dec.com
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <199512282209.RAA09772@caffeine.server.net>

>>>>> Jeffrey Mogul writes:

Jeff> But I still assert that the optimistic approach is "better" 
Jeff> (perhaps not "best") if one believes that, most of the time,
Jeff> RTTs do matter and servers will not reject PUT-like methods.

While I agree with you overall, I don't buy this.  The first PUT
in any session will almost -always- be rejected.  Here's my reasoning:

1) Most servers that provide PUT are not going to allow arbitrary
   uploading; the target is going to be an "approved" location.

2) The only current mechanism in the protocol for passing information
   that can be used to determine approval is the Authorization header.

3) Clients cannot send the Authorization header unprompted, because
   this would be a big security issue.  (Evil servers would just save
   the auth info and look at the referer.)

4) Therefore, the first upload in any session will usually be returned
   a 401.

While I would prefer to leave the choice to the client software (based
on size heuristics or whatever), this may not be adequate.

Consider the following scenario:

A server has a portion of its document space that requires encrypted
access.  All requests for documents under this tree are redirected to
the "https" version of the server listening on a different port.  The
client wants to upload data to this space, and is chatting with the
server on the unencrypted port.  When it tries to upload a small file
to this area, the server returns a 301.  Unfortunately, a Bad Guy was
snooping the wire, and captured the rejected data.  Since one of the
philosophies of the protocol is that the client shouldn't need to know
about the type of resource it refers to, there is no way that the
client would know -not- to upload to this URL.  The only way around
this would be to -require- a 2-phase.  I'm not thrilled about this.

Lets just nail it down soon; I'd prefer -any- definition to one
that changes every month or so.  :-)

-Roger

Roger Gonzalez                    NetCentric Corporation
rg@server.net                     56 Rogers Street
home   (617) 646-0028             Cambridge, MA 02142
mobile (617) 755-0635             work (617) 868-8600



60 09 3A EE FE 6A 1E CC   -pgp-   B7 F7 6B 0F 00 1D 01 C7

Received on Thursday, 28 December 1995 14:13:17 UTC