Hi Roman, Snipping for clarity On Wed, May 24, 2023 at 2:36 PM Roman Danyliw <rdd@cert.org> wrote: > > > [Roman] That’s a key point about no validation practices are being > standardized. My confusion is that “This allows the recipient to choose > which hashing algorithm(s) to use for validation instead of verifying every > digest” hints at validation practices. I would recommend something more > concrete on where local policy might be applied. Roughly: > > > > OLD > > A recipient MAY ignore any or all digests. This allows the recipient to > choose which hashing algorithm(s) to use for validation instead of > verifying every digest. > > > > NEW > > A recipient MAY ignore any or all digests. Application-specific behavior > or local policy MAY set additional constrains on the processing and > validation practices of the conveyed digests. > Thanks for the concrete suggestion (pun intended). I think this pretty good. I've opened an issue ( https://github.com/httpwg/http-extensions/issues/2557) to let us track the matter and a related PR that tweaks your suggestion a little. I've raised it with the HTTP WG just in case they have any suggestions or comments. Modulo that we'll incorporate it into a future revision of the document. Cheers, Lucas
Received on Wednesday, 24 May 2023 16:38:18 UTC