Closed ioggstream closed 5 years ago
So today, it is possible for an endpoint to receive multiple values. Do we have any idea what they do? That might help us edge towards the correct guidance (although I suspect finding this answer will be tricky).
RFC3230 says:
A Digest header field MAY contain multiple instance-digest values. This could be useful for responses expected to reside in caches shared by users with different browsers, for example.
A recipient MAY ignore any or all of the instance-digests in a Digest header field.
imho retaining that behavior is reasonable and allows implementors to chose the digest-algorithm (hopefully the most secure) to use.
Peers could even agree on a "validate all digest" strategy: in this case we should mention resource consumption the Security Considerations.
What do you think?
Looking at this again, I'm happy with current guidance and don't think adding anything more will improve interoperability. Unless someone comes with an actual problem or compelling security problem I think we just leave as is.
Reproduce
1- I receive multiple digest values 2- the first one validates 3- the second one does not
Which behavior do we propose?
Considerations: