W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1995

Re: Content-MD5

From: <Harald.T.Alvestrand@uninett.no>
Date: Sun, 05 Nov 1995 20:46:44 +0100
Message-Id: <199511051946.UAA14079@dale.uninett.no>
To: Laurent Demailly <dl@hplyot.obspm.fr>
Cc: "Roy T. Fielding" <fielding@avron.ICS.UCI.EDU>, Dave Raggett <dsr@w3.org>, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
At the time Content-MD5 was described, we needed something to protect
us against accidental mangling of E-mail.

The chances of something being mangled by accident in such a way that the
Content-MD5 checksum remains valid is not well described by the word
"microscopic"; it is too small. A new "MD6" algorithm won't change that.

Content-MD5 is *NOT* a security feature; it is trivially easy to modify
the text of a message, recompute the MD5 checksum and insert that into
the headers.

One reason to choose Content-MD5 for the header name rather than a
syntax like "content-checksum: alg=md5; zxclkjsakjfwe" was exactly to
PREVENT the adoption of MD2 or MD6 or SHA or the System V "sum".
In this case, one algorithm is (IMHO) better than two.

               Harald A
Received on Monday, 6 November 1995 00:05:08 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:35 EDT