Let's assume that the server receives a request including an integrity field and content. While the server recognizes the presence of an integrity digest, it is not interested in using the digest to verify the integrity of the message content. For example because it wants to save computational cost associated with computing integrity digests.
The server could ignore the integrity fields and process the request without them. However, the client then has no knowledge that the server ignores the digests and cannot distinguish between cases where the server successfully verified the integrity and where the server ignored the digest altogether. This scenario is not always ideal because integrity may be violated without the server raising an error and thus the client believes no violation occurred.
The server could also choose to reject the request saying that it acknowledges the presence of the integrity fields but cannot guarantee integrity because it doesn't check the digests. The client can then decide to resend the request without integrity fields knowing that the content's integrity isn't verified or to abort the operation if integrity is of high importance.
If the server chooses to do the latter, can it use the unsupported algorithm problem type even if there is no algorithm that the server would accept? Should we introduce a new problem types for this situation?
Let's assume that the server receives a request including an integrity field and content. While the server recognizes the presence of an integrity digest, it is not interested in using the digest to verify the integrity of the message content. For example because it wants to save computational cost associated with computing integrity digests.
The server could ignore the integrity fields and process the request without them. However, the client then has no knowledge that the server ignores the digests and cannot distinguish between cases where the server successfully verified the integrity and where the server ignored the digest altogether. This scenario is not always ideal because integrity may be violated without the server raising an error and thus the client believes no violation occurred.
The server could also choose to reject the request saying that it acknowledges the presence of the integrity fields but cannot guarantee integrity because it doesn't check the digests. The client can then decide to resend the request without integrity fields knowing that the content's integrity isn't verified or to abort the operation if integrity is of high importance.
If the server chooses to do the latter, can it use the unsupported algorithm problem type even if there is no algorithm that the server would accept? Should we introduce a new problem types for this situation?