search

ioggstream / draft-polli-resource-digests-http

THIS REPO WAS MOVED TO https://github.com/httpwg/http-extensions/
https://httpwg.org/http-extensions/draft-ietf-httpbis-digest-headers.html
Other
0 stars 1 forks source link

Introduction refers to TCP instead of TLS #14

Closed jyasskin closed 5 years ago

jyasskin commented 5 years ago

https://github.com/ioggstream/draft-polli-resource-digests-http/blame/master/draft-polli-resource-digests-http.md#L117 should probably say

Integrity protection for HTTP content is typically achieved via TLS or HTTPS [RFC2818].

ioggstream commented 5 years ago

I inherited the TCP from RFC3230, though in 2019 has a lot of more sense non mentioning TCP.

@LPardue could we say:

Integrity protection for HTTP content is typically achieved via TLS [RFC8446] or QUIC.

Otherwise I would just mention TLS.

LPardue commented 5 years ago

Ok I think I see what happened here. RFC 3230 had a whole lot of text about how integrity applies throughout the entire TCP stack. Our refactor loses that, and the sentence that @jyasskin points out can be misinterpreted.

Given it is the opening sentence I think we should change things back in the original direction but maybe more concisely. Below is my initial response before taking a step back and seeing what the real problem is here.

_Integrity is multi layered.

The intent of the sentence that I have is that it tries to explain that hops have integrity methods below layer 7: ethernet checksum, IP checksum, TCP checksum, TLS record, etc.

No matter how weak the algorithms may be, receivers that validate integrity do have an effect on the transfer of the data, and give confidence to the higher layer. Sadly, the HTTP layer doesn't do integrity checking for the most part - digest allows that.

Changing this sentence to just TLS does a disservice to all of the integrity checking through the IP stack._

jyasskin commented 5 years ago

I think I've been living too closely to cryptographic systems. Yes, it makes sense to talk about transport-layer protocols that protect integrity from random corruption even if they're not secure against clever attackers.

LPardue commented 5 years ago

Times change and we should have affordance for today's audience. I think we can address this straightforwardly.

ioggstream commented 5 years ago

@LPardue close if you like the solution ;)

LPardue commented 5 years ago

I like the solution but don't have permission to close the issue :D

ioggstream commented 5 years ago

Closed :D