Re: draft-ietf-httpbis-resumable-upload-01

Hi Rob,

The integrity is provided by the strength of the resume URL described in the security section. The resume URL should have a secret non-guessable path, treated similar to a TLS session ticket. And only the client that started the upload knows the resume URL.

We don’t think there is a message integrity issue with the current approach assuming TLS is used and resume URL is kept secret. You can additionally adopt the digest header to validate the content if desired.


> On Jul 26, 2023, at 14:45, Rob Sayre <> wrote:
> Hi,
> Firstly, this is the right idea. Every social network does something similar, because image and video uploads succeed over slow and unreliable networks at a much higher rate. Big operators like AWS have also have a similar feature for much larger chunks, like 1MB+.
> I think the solution is a bit too low-level in HTTP terms. The working solutions I've seen use POST and something like the mechanisms in the draft-ietf-httpbis-digest-headers-13. This is because the message integrity properties that come with TLS are lost when combining chunks.
> thanks,
> Rob

Received on Thursday, 27 July 2023 16:49:03 UTC