signing relevant representation metadata is mandatory

[ioggstream]

This PR

States that:

• When using Digest in signatures, you must sign content-type.
• If content codings are applied, you must sign content-encodings too.

[ioggstream]

@jyasskin maybe related to https://github.com/WICG/webpackage/blame/master/draft-yasskin-http-origin-signed-responses.md#L352

[LPardue]

An alternative way of fixing this is to state the problem in more generic terms. For example, all resource metadata is open to tampering; any methods that attempt to address tampering of the digest header MUST also consider mandatory elements that compose Digest: Content-Type and Content-Encoding.

[ioggstream]

While we could provide those informations in a BCP (eg. like it was done in https://tools.ietf.org/html/rfc6819) I think that it could have sense to provide them here.

Thinking twice, I don't know if the Security Consideration can contain "MUST" & co.

Still imho we should state clearly that:

• if you have multiple content-{encoding,type}, not signing them means not signing anything;
• if you have fixed content-{encoding,type}, not signing them means that once you add a new content-encoding you should create a different version of your whole spec.

Let's see how other specs address this kind of issues.