- From: Lucas Pardue <lucas@lucaspardue.com>
- Date: Thu, 19 Dec 2024 05:10:01 +0000
- To: "HTTP Working Group" <ietf-http-wg@w3.org>
- Cc: mkwst@google.com
- Message-Id: <2ebb8dc8-50c0-4585-a725-7e0c9f8170af@app.fastmail.com>
Hi HTTP WG, I'd like to draw your attention to a replacement I-D that Mike West and I have just published; see forwaded details below. To add some more context: Back in March 2023, I submitted draft-pardue-http-identity-digest-01 to define an "Identity-Digest" header field to cover slightly different use cases than Repr-Digest or Content-Digest - the hash of the unencoded representation (i.e. if you receive an HTTP message using content coding, you decode the bytes before calculating the hash for verification). There was a little discussion back at the time, especially with respect to the name [2]. In the meantime RFC 9530 was published but not much else happened, mostly due to lack of a concrete use case for another HTTP integrity field. However, for the last few months there's been work happening over in the W3C community on something called Signature-based Integrity. Some of you might be familiar with SRI (Subresource Integrity) [3], an existing standard that "defines a mechanism by which user agents may verify that a fetched resource has been delivered without unexpected manipulation.". Signature-based integrity is a new proposal, which aims to address the brittleness and friction of SRI in practical usage. The explainer [4] contains a lot more details for those interested. Where SRI embeds information in HTML, Signature-based integrity pushes it into HTTP metadata by defining a usage profile for HTTP Message Signatures, that benefits from a hash based on unencoded representations. Mike has been driving the work in the WICG and has joined on a co-author on the "Identity-Digest" draft. We've stuck with that name for now to avoid too much churn while the Signature-based integrity draft [5] is being discussed in other venues - but plan to change it sooner rather than later based on popular opinion [2]. Some implementation work has kicked on in Chromium [6] and other Browsers have been asked for opinions [7]. Now seems like a good time to (re)kickstart the discussion on the HTTP header field. Practically, draft-pardue-httpbis-identity-digest-00 is a replacement for draft-pardue-http-identity-digest-01 but the datatracker wasn't playing ball. There are a few minor changes that address some of the feedback received last time around. Here's a diff tool link for conveniene: https://author-tools.ietf.org/api/iddiff?doc_1=draft-pardue-http-identity-digest&url_2=https://LPardue.github.io/draft-pardue-http-identity-digest/draft-pardue-httpbis-identity-digest.txt Cheers Lucas [1] - https://lists.w3.org/Archives/Public/ietf-http-wg/2023JanMar/0212.html [2] - https://github.com/LPardue/draft-pardue-http-identity-digest/issues/10 [3] - https://www.w3.org/TR/SRI/ [4] - https://github.com/WICG/signature-based-sri [5] - https://wicg.github.io/signature-based-sri/ [6] - https://issues.chromium.org/issues/375224898 [7] - https://chromestatus.com/feature/5032324620877824 ----- Original message ----- From: internet-drafts@ietf.org To: Lucas Pardue <lucas@lucaspardue.com>, Mike West <mkwst@google.com> Subject: New Version Notification for draft-pardue-httpbis-identity-digest-00.txt Date: Thursday, December 19, 2024 04:08 A new version of Internet-Draft draft-pardue-httpbis-identity-digest-00.txt has been successfully submitted by Lucas Pardue and posted to the IETF repository. Name: draft-pardue-httpbis-identity-digest Revision: 00 Title: HTTP Identity Digest Date: 2024-12-19 Group: Individual Submission Pages: 9 URL: https://www.ietf.org/archive/id/draft-pardue-httpbis-identity-digest-00.txt Status: https://datatracker.ietf.org/doc/draft-pardue-httpbis-identity-digest/ HTML: https://www.ietf.org/archive/id/draft-pardue-httpbis-identity-digest-00.html HTMLized: https://datatracker.ietf.org/doc/html/draft-pardue-httpbis-identity-digest Abstract: The Repr-Digest and Content-Digest integrity fields are subject to HTTP content coding considerations. There are some use cases that benefit from the unambiguous exchange of integrity digests of unencoded representation. The Identity-Digest and Want-Identity- Digest fields complement existing integrity fields for this purpose. The IETF Secretariat
Received on Thursday, 19 December 2024 05:10:28 UTC