Digest of "empty" representation

ioggstream commented 5 years ago

I expect

An example Digest of an empty representation.

See https://github.com/martinthomson/http-mice/issues/3

LPardue commented 5 years ago

Is the suggestion here that we define some guidance such as "The digest of an empty representations is a special case that is calculated by applying the digest-algorithm to the null terminator e.g SHA-256("\0")".

Although we don't have the same needs as MICE, I can see this as being useful in tandem with Signature. For instance, if some use case for Signature mandates the presence of Digest header, life gets difficult if there is no way to represent an empty representation. Providing a formal definition helps that case.

I'm undecided on how to address the validation requirements of such a digest. I'd be tempted to say that if the receiver detects this well known pattern, and the received resource is empty, then it skips digest validation.

ioggstream commented 5 years ago

@LPardue I'm just proposing to add an example, it's fine to ask for guidance for this cases.

To favor interoperability we could propose to use a simple checksum of the resulting payload body (which may be empty or not).

About MICE

I just linked it as an example. A couple of considerations:

MICE defines both a content-coding and a digest-algorithm, so they have some freedom in the spec;
I'm not sure how this tight coupling b/w digest and content-coding could work with multiple content codings.

empty representations and content-encoding

An empty representation could eg. have a non-empty payload body due to Content-Encoding, so we couldn't just skip the validation.

In [119]: sha256(compress(b'')).hexdigest()                                                                                                                                                                                                  
Out[119]: '7a53d5f4237c606ddaba52a2d4a3e40200eea48f5992172c6751209decae8d5a'

In [120]: sha256(b'').hexdigest()                                                                                                                                                                                                            
Out[120]: 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'

empty representation and integrity

I may just want to ensure with Digest that the resource representation is as expected (eg. 'No Content') so a digest of an empty representation cannot be skipped.

empty representation and confidentiality

An empty representation may be masked by an encrypted content-coding. In this case we should not disclose informations, so the MICE choice may not fit this use-case.

ioggstream commented 5 years ago

moved to https://github.com/httpwg/http-extensions/issues/849

ioggstream / draft-polli-resource-digests-http