Re: Digest: use in requests from Roberto Polli on 2020-12-29 (ietf-http-wg@w3.org from October to December 2020)

From: Roberto Polli <robipolli@gmail.com>
Date: Tue, 29 Dec 2020 10:56:54 +0100
To: Julian Reschke <julian.reschke@gmx.de>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAP9qbHWMRsok2C=6JAEVUULTt2BXJ3kHGGDJ9TmNRrA_1J9mKg@mail.gmail.com>

Hi @Julian Reschke,

replies in-line.

TL;DR: if http forbids partial representations in requests, this discussion
will be solved without changing the spec.

Il lun 28 dic 2020, 19:33 Julian Reschke <julian.reschke@gmx.de> ha scritto:
>
> Am 28.12.2020 um 18:57 schrieb Roberto Polli:
>
> > The point is related to whether Digest on requests containing
> > partial representations should be computed on the payload-data
> > or on the representation data. The actual Digest formulation derives
>  > ...
>
> And this is where the problem starts.
>
> Could you please *define* what a request "containing a partial
> representation" is,

This is the first question: can a request payload-data convey a
partial representation?
My understanding of semantic-latest §6.4 is: yes, but if we think it
is not appropriate
we could clarify that. See:

- https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#rfc.section.6.4.p.1
- https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#rfc.section.6.4.2.p.1

> and how a component can detect that case?

As Digest is an end-to-end integrity mechanism, the intended components
are not supposed to be agnostic intermediaries. Instead, they are expected
to have some knowledge about the purpose of the payload (eg. in case
of id-* algorithms they
need to content-decode the payload to validate it, or in case of Range
Requests).

Reading https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#rfc.section.6.4.1.p.1
```The purpose of a payload in a request is defined by the method semantics```
iiuc the receiver, aware of the request semantic, knows its purpose
and how to process it, including whether it conveys a partial
representation or not.

> Furthermore, a real-world example would be useful.

I cannot mention existing standards conveying partial representations
in requests,
but I think this is not a reason for changing the representation-data-digest
mechanism defined in continuity with RFC3230 and specifying here a behavior
(no partial representations in request) that is in the domain of
httpbis-semantics.

Besides coherence with RFC3230, imho if a future method/header allows
to convey a partial representation
in a request, it should be possible to use Digest to convey the
checksum of the complete representation.

Thanks to everybody for your feedback,
R.

Received on Tuesday, 29 December 2020 09:57:18 UTC