W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1996

RE: [Content-MD5 and Message Digest Authentication.], MD5 broken.

From: Paul Leach <paulle@microsoft.com>
Date: Fri, 26 Apr 1996 16:31:11 -0700
Message-Id: <c=US%a=_%p=msft%l=RED-77-MSG-960426233111Z-14523@tide21.microsoft.com>
To: "'hallam@w3.org'" <hallam@w3.org>, "'Roy T. Fielding'" <fielding@avron.ICS.UCI.EDU>
Cc: "'http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com'" <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
Digest Auth already has the algorithm as a parameter. The name
"Content-MD5" can't be changed for historical reasons.

>----------
>From: 	Roy T. Fielding[SMTP:fielding@avron.ICS.UCI.EDU]
>Sent: 	Friday, April 26, 1996 4:08 PM
>To: 	hallam@w3.org
>Cc: 	http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
>Subject: 	Re: [Content-MD5 and Message Digest Authentication.], MD5
>broken. 
>
>> Content-MD5: 2A1238912371239587; alg=SHA
>> 
>> This construction is likely to break for obvious reasons.
>
>Phill, this has already been discussed to death.  There is no advantage
>to using a generic parameter name for an Entity-Header -- they can be
>added
>or removed at any time.  The only thing you accomplish in such a
>situation
>is for programs to have to parse the contents of the header field in
>order to know whether or not it is applicable to them, which is a
>bad design.
>
>The obvious way to handle a new digest algorithm like SHA is
>
>   Content-SHA: 2A1238912371239587
>
>which is exactly how the HTTP protocol is designed.  Leave it be.
>
>
> ...Roy T. Fielding
>    Department of Information & Computer Science   
>(fielding@ics.uci.edu)
>    University of California, Irvine, CA 92717-3425   
>fax:+1(714)824-4056
>    http://www.ics.uci.edu/~fielding/
>
>
Received on Friday, 26 April 1996 16:34:45 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:51 EDT