OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [wss] SwA | Canonicalizing Content-Length MIME header


Maneesh
 
You raise three good points about the Attachment-Complete Reference Transform section 4.2.2
 
1. Do we really need to have the capability to include headers in a signature?
 
2. If we do, shouldn't all "application level" MIME headers be included? Currently only those explicitly listed are.
 
3. Should we remove Content-Length and MIME-version from the list? In general, is the list correct?
 
I suspect there is value to redundancy in checking that headers weren't changed (e.g. if the Content-Length header value is shortened without detection  couldn't that be an attack?)
 
Is it correct that the MIME processing layer will pass the appropriate Content-Length after transfer-encoding is "undone" or is there an issue here?
 
I'd like to understand what others agree before attempting any changes in this area.
 
Thanks
 
regards, Frederick
 
Frederick Hirsch
Nokia


From: ext Maneesh Sahu [mailto:maneesh@westbridgetech.com]
Sent: Wednesday, September 01, 2004 2:46 PM
To: Hirsch Frederick (Nokia-TP/Boston); wss@lists.oasis-open.org
Subject: RE: [wss] SwA | Canonicalizing Content-Length MIME header

The MIME headers besides Content-Length- MIME-Version, Content-Id, etc provide information not available in the MIME part’s body. One can infer the Content-Length from the size of the MIME Part’s body.

 

The Content-Length is a function of the Content-Transfer-Encoding that Lines 130 and 131 mention as out of scope. Also, this header is primarily meant for efficiency purposes while receiving data (setting up buffer sizes et al).

 

Maneesh Sahu

Westbridge Technology, Inc.

 


From: Frederick.Hirsch@nokia.com [mailto:Frederick.Hirsch@nokia.com]
Sent: Wednesday, September 01, 2004 11:33 AM
To: Maneesh Sahu; wss@lists.oasis-open.org
Subject: RE: [wss] SwA | Canonicalizing Content-Length MIME header

 

Maneesh

 

if the header is signed then it needs to be in a single format. 

 

Which information is redundant?

 

Perhaps I am misunderstanding your comment.

 

regards, Frederick

 

Frederick Hirsch

Nokia

 


From: ext Maneesh Sahu [mailto:maneesh@westbridgetech.com]
Sent: Wednesday, September 01, 2004 1:31 PM
To: wss@lists.oasis-open.org
Subject: [wss] SwA | Canonicalizing Content-Length MIME header

Frederick, All

 

What is the value in canonicalizing the Content-Length MIME header? This information is redundant.

 

Maneesh Sahu

Westbridge Technology, Inc.

 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]