ietf-openproxy
[Top] [All Lists]

Re: HTTP/OCP: All Content-* headers are special

2003-10-15 23:46:32

On Thu, 2003-10-16 at 08:40, Alex Rousskov wrote:
Martin,

      Could you please check that HTTP Adaptations draft talks about
OPES processor responsibility for "correctness" of not just
Content-Length header but all(?) Content- headers including things
like Content-MD5? Perhaps we can include a general statement that
covers all headers?

      HTTP OPES processors MUST insure correctness of
      all HTTP headers documented in specifications
      that the processors intend to be compliant with.
      For example, the correctness of Content-Length
      and Content-MD5 headers have to be insured by
      processors claiming compliance with HTTP/1.1
      (RFC 2616).

Or would that be an overkill?

I think its a necessary condition.

Perhaps the only realistic
default for a processor would be to remove Content-MD5 header: absence
of truth is better than lies.

For rfc2617/digest signed message bodies and similar mechanisms, it's
probably intractable. 
For non verifiable headers - I think it depends on the advertisied
origin: that is if the OPES device is comparable to a reverse proxy, it
is considered authoritative for the entity and can safely correct such
headers. For non authoritative OPES devices - say ISP's performing local
ad replacement (ignoring the policy questions surrounding that) - then
removing it is probably the most accurate step.

Rob

-- 
GPG key available at: <http://members.aardvark.net.au/lifeless/keys.txt>.