- From: Marius Kleidl <marius@transloadit.com>
- Date: Wed, 9 Aug 2023 19:16:04 +0200
- To: Lucas Pardue <lucaspardue.24.7@gmail.com>
- Cc: Rob Sayre <sayrer@gmail.com>, Guoye Zhang <guoye_zhang@apple.com>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
- Message-ID: <CANY19Nsoyy9NB9VcNWGx0=R3bFzL1t+SBT1H2ZtCA7-f28djsQ@mail.gmail.com>
Hi Lucas, I had a brief read through the digest draft today while thinking how this could be applied to resumable uploads. The new integrity fields with its separation between content and representation should fit perfectly to the approach of resumable uploads. I thought I would name a few concrete examples to see if my understanding of the digest draft is correct: 1) Assume that the client knows the digest of the entire file that it wants to upload. It can then set Repr-Digest in the Upload Creation Procedure and upload the data. If the transfer is interrupted it is just resumed as normal with HEAD and PATCH. Once the upload is complete, the server can verify the integrity of the uploaded data by comparing it to the Repr-Digest from the Upload Creation Procedure. If they don't match, the server can reject the upload and return an error to the client or similar. 2) If the client does not know the digest of the entire upload at the beginning (because it is streamed from another resource), it can compute the digest while the upload is running and then include Repr-Digest as a trailer on the final Upload Creation Procedure or Upload Appending Procedure. The server can then verify as in 1). 3) If the client does not compute the digest, but wants to query the server's digest, it can include the Want-Repr-Digest in the Upload Creation Procedure. On the final response, the server should then include the Repr-Digest whose value corresponds to the entire upload that it has received. The client then may verify the digest or provide it to the client's users. 4) If the clients sets Content-Digest on an Upload Creation Procedure or Upload Appending Procedure, it only applies to the specific request body. So if the request transmission gets interrupted, the server is not able to verify the integrity and must reject the entire request without appending its content to the upload. This makes the request effectively transactional, where either the entire body or nothing is appended to the upload. This is a bit contrary to the intention of uploads that can be resumed from the point where they failed, but if you split an upload into multiple requests, this might still be interesting for some applications. Do these examples align with the intentions behind the digest draft or did I get something wrong? All in all, this appears like a great fit! Best regards Marius On Thu, Jul 27, 2023 at 10:21 PM Lucas Pardue <lucaspardue.24.7@gmail.com> wrote: > > > On Thu, 27 Jul 2023, 12:09 Rob Sayre, <sayrer@gmail.com> wrote: > >> On Thu, Jul 27, 2023 at 10:10 AM Lucas Pardue <lucaspardue.24.7@gmail.com> >> wrote: >> >>> >>> Resumable uploads should probably minimally mention something about >>> integrity of HTTP message content (parts) and the integrity of the whole >>> object. >>> >> >> Hi, that's all I meant to suggest. The problems I've seen are not >> external security threats, but bugs in reassembling the parts on the >> server, after TLS termination. >> > > Yep this is totally in scope of problems that digest is intended to help > mitigate. Thanks for the confirmation, I'll prepare some text in a PR for > the uploads draft. > > Cheers > Lucas > >> >> thanks, >> Rob >> >> >
Received on Wednesday, 9 August 2023 17:16:21 UTC