Skip to content

Tweak normative statements and security considerations to avoid BCP14 terms #12

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
LPardue merged 1 commit into from
Feb 9, 2026
+5 −6
Merged

Tweak normative statements and security considerations to avoid BCP14 terms #12

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 5 additions & 6 deletions draft-ietf-httpapi-digest-fields-problem-types.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,8 +84,6 @@ Want-Content-Digest: sha-512=3, sha-256=10

# Conventions and Definitions

{::boilerplate bcp14-tagged}

Some examples in this document contain long lines that may be folded, as described in {{RFC8792}}.

The terms "integrity fields" and "integrity preference fields" in this document are to be
Expand Down Expand Up @@ -199,7 +197,7 @@ Content-Type: application/problem+json

## Invalid Digest Values

This section defines the "https://iana.org/assignments/http-problem-types#digest-invalid-values" problem type. A server can use this problem type when responding to a request, whose integrity fields include a digest value that cannot be generated by the corresponding hashing algorithm. For example, if the digest value of the `sha-512` hashing algorithm is not 64 bytes long, it cannot be a valid SHA-512 digest value and the server can skip computing the digest value. This problem type MUST NOT be used if the server is not able to parse the integrity fields according to {{Section 4.5 of STRUCTURED-FIELDS}}, for example because of a syntax error in the field value.
This section defines the "https://iana.org/assignments/http-problem-types#digest-invalid-values" problem type. A server can use this problem type when responding to a request, whose integrity fields include a digest value that cannot be generated by the corresponding hashing algorithm. For example, if the digest value of the `sha-512` hashing algorithm is not 64 bytes long, it cannot be a valid SHA-512 digest value and the server can skip computing the digest value. This problem type cannot be used if the server is not able to parse the integrity fields and obtain a value according to {{Section 4.5 of STRUCTURED-FIELDS}}, for example because of a syntax error.

For this problem type, the `invalid-digests` extension member is defined, whose value is a JSON {{JSON}} array of entries identifying each invalid digest.
Each entry in the array is a JSON object with the following members:
Expand Down Expand Up @@ -300,11 +298,12 @@ Disclosing error details could leak information
such as the presence of intermediaries or the server's implementation details.
Moreover, they can be used to fingerprint the server.

To mitigate these risks, a server could assess the risk of disclosing error details
To mitigate these risks, server operators could assess the risk of disclosing error details
and prefer a general problem type over a more specific one.

When a server informs the client about mismatched digest values, it should not expose
the calculated digest to avoid exposing information that can be abused for oracle attacks.
There is no method defined for the server to communicate a digest value that it
calculated for the purpose of validation. Such information can be abused for
oracle attacks.

# IANA Considerations

Expand Down