On Mon, Feb 05, 2001 at 09:54:16AM -0800, Maciocco, Christian wrote:
Maybe it would be better to say 'message' instead of 'content' (to
encompass both requests and responses)?
How is content integrity defined? Is this the default behavior where no
actions/services on the content are performed by the box? If an action
is performed, how will we validate integrity?
I'd define message integrity as changing the message in a manner that
its semantics do not allow. HTTP already has a simple processing
model defined; caching and content negotiation, for example, allow
intermediaries to modify messages in certain ways. Transformations
which occur outside of the semantics of the message and the
requirements of the protocol are unexpected, resulting in a loss of
integrity.
End users and content providers will be interested in content
integrity, not vendors of processing intermediaries. The only ways
they can verify integrity now is a) Content-MD5 (which can be
recalculated by an intermediary, and is not widely supported or b)
use SSL/TLS.
--
Mark Nottingham, Research Scientist
Akamai Technologies (San Mateo, CA)