W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1996

RE: HTTP/1.1 Contradiction

From: Paul Leach <paulle@microsoft.com>
Date: Fri, 13 Dec 1996 16:18:50 -0800
Message-Id: <c=US%a=_%p=msft%l=RED-77-MSG-961214001850Z-108491@INET-05-IMC.itg.microsoft.com>
To: 'Daniel DuBois' <dan@spyglass.com>, 'Jeffrey Mogul' <mogul@pa.dec.com>
Cc: "'http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com'" <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
Imagine that you've computed an MD5 (or other) checksum over the content
body and various of the headers. If you change any of them, the digest
won't check thereafter. When the digest is used for authentication and
as a secure integrity check, the failure of the digest to check would
lead to some kind of security fault.  The "no-transform" directive was
added to tell proxies that changing the body or certain headers would
lead to some kind of failure.

In the case in question (an HTTP to mail gateway), it may not be
important that the recipient of the Mime-body be able to verify its
origins and that it wasn't tampered with in transit -- an ordinary mail
client wouldn't know how to do so anyway. Hence, adding a Content-Length
in the gateway might not matter.

>----------
>From: 	Jeffrey Mogul[SMTP:mogul@pa.dec.com]
>Sent: 	Friday, December 13, 1996 3:48 PM
>To: 	Daniel DuBois
>Cc: 	http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
>Subject: 	Re: HTTP/1.1 Contradiction 
>
>    Hey HTTP-WG, why can't proxies modify/change Content-Length on
>    no-transform responses?
>
>I believe this is because the Digest-Authentication people needed
>that.  See 
>   http://www.ics.uci.edu/pub/ietf/http/draft-ietf-http-digest-aa-05.txt
>(but you'll have to ask one of them for a definitive answer).
>
>-Jeff
>
>
Received on Friday, 13 December 1996 16:21:16 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:19 EDT