- From: Buzonas, Steve <sbuzonas@carnegielearning.com>
- Date: Fri, 12 Sep 2014 01:51:05 -0400
- To: Martin Thomson <martin.thomson@gmail.com>
- CC: Julian Reschke <julian.reschke@gmx.de>, Poul-Henning Kamp <phk@phk.freebsd.dk>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
> On Sep 11, 2014, at 6:14 PM, "Martin Thomson" <martin.thomson@gmail.com> wrote: > >> On 11 September 2014 12:45, Julian Reschke <julian.reschke@gmx.de> wrote: >> I've been toying with the idea of defining a replacement for Content-MD5 >> (clarity on 206, hash algorithm agility, maybe a conditional header field, >> potentially consistent with the SRI spec). > > That sounds like it's worthwhile, if you can find a customer. > > Bootstrapping off SRI seems pretty natural here. You get an SRI link, > you make a request with an If-Content-Hash conditional and you avoid > downloading content that doesn't match, if your server is honest. Not > a huge gain though, because it's not exactly recoverable if you don't > get a match and it still doesn't help for servers that don't support > the conditional (or malicious servers). > > The more interesting uses are for patching scenarios where you might > want to be properly sure that the content you are patching is the > content you think. > Passing an MD5 sum won't really cut it either. Each hop could replace the value with whatever it decides to tack on. Steve Buzonas Web Developer Carnegie Learning, Inc. (888) 851-7094 x141 toll free (412) 690-2444 fax sbuzonas@carnegielearning.com www.carnegielearning.com
Received on Friday, 12 September 2014 05:51:33 UTC