Digest: defining an additional field for message content from Lucas Pardue on 2021-06-18 (ietf-http-wg@w3.org from April to June 2021)

From: Lucas Pardue <lucaspardue.24.7@gmail.com>
Date: Fri, 18 Jun 2021 01:02:33 +0100
To: HTTP Working Group <ietf-http-wg@w3.org>
Cc: Roberto Polli <roberto@teamdigitale.governo.it>
Message-ID: <CALGR9obLN4zfiucBTvSbbq9LTwuL2qSVRLD1ZLRvojXpUHmUXg@mail.gmail.com>

Hello HTTP WG,

TL;DR: please take a look at this Digest spec PR -
https://github.com/httpwg/http-extensions/pull/1543 and let me know what
you think over the next week or so.

The Digest draft [1] updates RFC 3230 to describe how to use checksums of
selected representations for integrity checking. We've heard from a few
people that the way this turns out behaving can be surprising, even if is
entirely correct and consistent with HTTP semantics. For example, a HEAD
request for /foo could yield a response that contains a digest header; but
without any message content there is no integrity checksum to compute?!

Based on feedback before, during and after the February interim, it became
clear that some people have use cases that would benefit from a checksum of
the message content. This is a much simpler concept in comparison. A
receiver merely checks the thing they just received.

Changing the Digest field away from representation digests risks breaking
use cases that depend on it. We know in the IETF Metalink (RFC 6249) [2]
has a dependency on RFC 3230, The wider ecosystem is harder to
characterise. Breaking stuff is bad. Let's not do that.

As a path forward, it was suggested that a new field be defined, used only
for content checksums. The editors have a proposal PR at
https://github.com/httpwg/http-extensions/pull/1543. It defines the
Content-Digest header, which uses exactly the same syntax for expressing
algorithms and computed checksums. All that is different is the input data.

During today's interim there seemed to be support for adding this new
Content-Digest field. At the same time, we recognise the name probably
needs some bikeshedding and the PR probably needs a few more gaps filled
before we land it. So we encourage the WG to take a look. We'd appreciate
thoughts on the design question - do we want to add "Want-Content-Digest"
too?

Cheers,
Lucas and Roberto
Digest editors

[1] https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-digest-headers
[2] https://datatracker.ietf.org/doc/html/rfc6249

Received on Friday, 18 June 2021 00:04:12 UTC