In <162250558403(_dot_)20031125073311(_at_)brandenburg(_dot_)com> Dave Crocker
<dhc(_at_)dcrocker(_dot_)net> writes:
Folks,
What is the current status of content-md5 usage?
I am wondering whether this sort of signing of the body is reliable and
cheap, and whether it has become at all popular.
Well dtmail is the only mailer that generates it AFAIK, and it gets it
wrong (or does in Solaris 7 - it may be fixed in later versions). I know
for a fact that Turnpike checks it.
But as a feature, I like it, because it is proof against changes of CTE as
the message propagates. Also, on occasions when headers of a message have
to be signed (e.g. in PGPVerify), it would be far nicer to exclude the
body of the message from the signature and, instead, sign the Content-MD5
header alongside whatever other headers were being signed. That way, if
something fails (e.g. some trailing white lines got added to the body),
the recipient has a much better chance of working out what went wrong, and
at least he knows that the headers were received intact.
So, it ain't broke and doesn't need to be fixed.
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131 Fax: +44 161 436 6133 Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk Snail: 5 Clerewood Ave,
CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5