[liberationtech] Signed HTTP
Eduardo Robles Elvira
edulix at gmail.com
Tue Mar 11 05:57:15 PDT 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 11/03/14 13:41, Steve Schultze wrote:
> Greetings all,
>
> A couple of years ago, I did some limited research on signed (but
> not encrypted) HTTP responses. I discovered that although it had
> been considered briefly by a few folks in the past, it never went
> anywhere. This continues to be surprising to me, given the ever
> increasing need to mirror content for a variety of reasons. Has
> anyone on the list thought about this? It seems that out community
> has a particularly strong case for such a thing.
>
> We sign software packages and emails. Why not http results? Ideally
> this would call for an IETF standard implemented in the major http
> servers, using certs already installed for https (if that is
> technically possible... I haven't thought through the crypto).
>
> Steve
Hello:
This has reminded me another feature that I find surprisingly missing:
why HTML does not allow to checksum external resources (css and
javascript files) so that when downloaded, the file is hashed and the
hash has to be matched? This is the only way I would trust CDNs, which
provide an otherwise quite useful service. This would be it more or less:
<script
type="text/javascript"
src="//netdna.bootstrapcdn.com/js/bootstrap.min.js"
checksum="sha256://9a6a18e1719c987e5bc937abe">
</script>
Regards,
Eduardo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iF4EAREIAAYFAlMfCCsACgkQqrnAQZhRnaoLhgD/TzQyzA014dE/5c+ItNMW88QC
5PA4NNJo1H0MY/rB/lUBAOqc4Ykr+6zXnmkyVrl1UtOT1cd+6V3YVGaeWf9nxj3m
=ec9O
-----END PGP SIGNATURE-----
More information about the liberationtech
mailing list