Re: the 8-bit dilemma

Barton E. Schaefer (schaefer@z-code.ncd.com)
Wed, 6 Mar 1996 14:57:34 -0800

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Previous message: Ned Freed: "Re: the 8-bit dilemma"

On Mar 6,  1:50pm, Ned Freed wrote:
} Subject: Re: the 8-bit dilemma
}
} The URL really doesn't need to be signed or hashed, even though it is by
} virtue of being included in the signed content.  Nor does the material it
} points at need to be signed. It is sufficient to compute a hash of the
} material and include it in the material that is signed. And this is the
} service content-md5 provides.

Thank you, Ned!  You've just provided the example I'd been searching for
of the value of "message security" as an independent concept from "object
security on message objects".  The Content-MD5 of a message/external-body
must be secure to prevent an attacker from switching the external object
with one of his own creation; but there's no reason to conceal the mere
presence of the Content-MD5 header, as it provides no information about
the content of the external object.

Switching an external object for a decoy is qualitatively more damaging
than simply preventing access to the object, which is the distinction I
was looking for.

-- 
Bart Schaefer                     Vice President, Technology, Z-Code Software
schaefer@z-code.com                  Division of NCD Software Corporation
http://www.well.com/www/barts

Previous message: Ned Freed: "Re: the 8-bit dilemma"