- From: Paul Leach <paulle@microsoft.com>
- Date: Fri, 13 Dec 1996 16:18:50 -0800
- To: 'Daniel DuBois' <dan@spyglass.com>, 'Jeffrey Mogul' <mogul@pa.dec.com>
- Cc: "'http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com'" <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
Imagine that you've computed an MD5 (or other) checksum over the content body and various of the headers. If you change any of them, the digest won't check thereafter. When the digest is used for authentication and as a secure integrity check, the failure of the digest to check would lead to some kind of security fault. The "no-transform" directive was added to tell proxies that changing the body or certain headers would lead to some kind of failure. In the case in question (an HTTP to mail gateway), it may not be important that the recipient of the Mime-body be able to verify its origins and that it wasn't tampered with in transit -- an ordinary mail client wouldn't know how to do so anyway. Hence, adding a Content-Length in the gateway might not matter. >---------- >From: Jeffrey Mogul[SMTP:mogul@pa.dec.com] >Sent: Friday, December 13, 1996 3:48 PM >To: Daniel DuBois >Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com >Subject: Re: HTTP/1.1 Contradiction > > Hey HTTP-WG, why can't proxies modify/change Content-Length on > no-transform responses? > >I believe this is because the Digest-Authentication people needed >that. See > http://www.ics.uci.edu/pub/ietf/http/draft-ietf-http-digest-aa-05.txt >(but you'll have to ask one of them for a definitive answer). > >-Jeff > >
Received on Friday, 13 December 1996 16:21:16 UTC