- From: <Harald.T.Alvestrand@uninett.no>
- Date: Sun, 05 Nov 1995 20:46:44 +0100
- To: Laurent Demailly <dl@hplyot.obspm.fr>
- Cc: "Roy T. Fielding" <fielding@avron.ICS.UCI.EDU>, Dave Raggett <dsr@w3.org>, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
At the time Content-MD5 was described, we needed something to protect
us against accidental mangling of E-mail.
The chances of something being mangled by accident in such a way that the
Content-MD5 checksum remains valid is not well described by the word
"microscopic"; it is too small. A new "MD6" algorithm won't change that.
Content-MD5 is *NOT* a security feature; it is trivially easy to modify
the text of a message, recompute the MD5 checksum and insert that into
the headers.
One reason to choose Content-MD5 for the header name rather than a
syntax like "content-checksum: alg=md5; zxclkjsakjfwe" was exactly to
PREVENT the adoption of MD2 or MD6 or SHA or the System V "sum".
In this case, one algorithm is (IMHO) better than two.
Harald A
Received on Monday, 6 November 1995 00:05:08 UTC