I will backoff of insisting on a more flexible and general solution to the
checksum "requirement". However, I do have three comments about adding a
checksum solution:
1. The checksum must be based on a canonical form of the data. One
candidate canonical form is the base64 encoding. In other words, it
would be very bad to base the checksum on the underlying binary (or
local) representation. See RFC 1113 for the rationale.
2. A gateway must NOT touch the checksum. The checksum must be an end to
end service. Although a gateway may manipulate a message in order to
pass it from one environment to another, it must not manipulate it in
such a way that the recipient can not recover the version upon which the
checksum is based. This is simply a special case of basing the checksum
on a canonical form.
3. If the checksum is present, it must be mandatory for a recipient to
verify it and alert the user to a discrepancy. Otherwise what is the
point in having it.
Jim