Include Content-* header fields in authenticated distribution signature

[apparentlymart]

When all payloads are implied to be Atom/RSS, signing the payload is sufficient for authenticating the message because the HTTP headers are completely ignored.

As we move to a mode of arbitrary content distribution, there can be some corner-cases where the meaning of a notification can be changed by altering the headers while retaining the payload. I'd concede that this will be rare, but I believe we should plug this obvious "hole" in the authenticated distribution protocol as part of introducing arbitrary content types.

My proposal is that we define a new signature base string that incorporates:

• every header field whose name starts with Content-
• the content of the entity-body, including any content-encoding that has been applied, but not including any transfer-encoding applied to the message-body. (i.e. the same bytestream that would be used to compute the Content-MD5 HTTP header)
• a nonce

The format of the header that provides this information must then change to incorporate the nonce, which would also be a good opportunity to either rename it to a non-experimental name (no X- prefix) or recast it as an HTTP authentication scheme using the Authorization header field.