Managing multiple digest values

ioggstream / draft-polli-resource-digests-http

THIS REPO WAS MOVED TO https://github.com/httpwg/http-extensions/

https://httpwg.org/http-extensions/draft-ietf-httpbis-digest-headers.html

Other

0 stars 1 forks source link

Managing multiple digest values #36

Closed ioggstream closed 5 years ago

ioggstream commented 5 years ago

Reproduce

1- I receive multiple digest values 2- the first one validates 3- the second one does not

Which behavior do we propose?

Considerations:

the receiver could ignore one or more digest (Eg. if the algo is not supported)
always checking all digest values may be computationally intensive -> add this to Security Considerations.

LPardue commented 5 years ago

So today, it is possible for an endpoint to receive multiple values. Do we have any idea what they do? That might help us edge towards the correct guidance (although I suspect finding this answer will be tricky).

ioggstream commented 5 years ago

RFC3230 says:

A Digest header field MAY contain multiple instance-digest values. This could be useful for responses expected to reside in caches shared by users with different browsers, for example.

A recipient MAY ignore any or all of the instance-digests in a Digest header field.

imho retaining that behavior is reasonable and allows implementors to chose the digest-algorithm (hopefully the most secure) to use.

Peers could even agree on a "validate all digest" strategy: in this case we should mention resource consumption the Security Considerations.

What do you think?

LPardue commented 5 years ago

Looking at this again, I'm happy with current guidance and don't think adding anything more will improve interoperability. Unless someone comes with an actual problem or compelling security problem I think we just leave as is.