[liberationtech] Signed HTTP

David H. Mason david at equalit.ie
Tue Mar 11 06:21:53 PDT 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


When we were putting together ideas for DDeflect we considered this as
it would solve many problems. Apparently it's been proposed, and
rejected, before ?
http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2012-October/037668.html

Perhaps in these new times it would be worth raising again.

David


On 14-03-11 08:57 AM, Eduardo Robles Elvira wrote:
> On 11/03/14 13:41, Steve Schultze wrote:
> > Greetings all,
>
> > A couple of years ago, I did some limited research on signed (but
> > not encrypted) HTTP responses. I discovered that although it had
> > been considered briefly by a few folks in the past, it never went
> > anywhere. This continues to be surprising to me, given the ever
> > increasing need to mirror content for a variety of reasons. Has
> > anyone on the list thought about this? It seems that out community
> > has a particularly strong case for such a thing.
>
> > We sign software packages and emails. Why not http results? Ideally
> > this would call for an IETF standard implemented in the major http
> > servers, using certs already installed for https (if that is
> > technically possible...  I haven't thought through the crypto).
>
> > Steve
>
> Hello:
>
> This has reminded me another feature that I find surprisingly missing:
> why HTML does not allow to checksum external resources (css and
> javascript files) so that when downloaded, the file is hashed and the
> hash has to be matched? This is the only way I would trust CDNs, which
> provide an otherwise quite useful service. This would be it more or less:
>
> <script
>   type="text/javascript"
>   src="//netdna.bootstrapcdn.com/js/bootstrap.min.js"
>   checksum="sha256://9a6a18e1719c987e5bc937abe">
> </script>
>
> Regards,
> Eduardo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTHw3xAAoJEG30t3OWfLLJMYgQALlPLyHOKAUmB0Ztg87o0lP8
2oEO9ID1is5kHL7Et/OLPKxcDaHsipSF9MX1eQbWksw+60kjRQbSDP31XMcLHc74
bcjQ0KF0Rz+gcPWJB+igXvJctUDyLPPX9xh/HDk2C0unPU6R1vdClzlqK+yzN94C
869tZXP8JXaHMGJ+OQKTfFNrfqvxNfC8/OG9dzJg1xRiTYccCkxGuOAHNePN93T/
/KRwasPACv6r2uSfPy9VPYUcYpDMMesfaTSuwbpqe5bQ8m/HNj1iNWClJLxq5WMb
9ENBy5jNooBdtqfsfp3IUHcqZ66YLe2mZTDw2apZmQ8ES+JGiQc8lvzWWkrB6Vvd
TnjLmN31QTIc5WQ69QSJhzMKfU1/bNVrBKl9rmdMowyFSjaPOr+vQMSxuMDTv77O
++3EUdY+JsmuWGO9TANSfk6VJW52q2eVmj0WPG7UTqcVRWFLcWrThbbUvxmmhALb
1i+ygMENcFNiFxSN+sSCcPKga/YTlWz8aDrT2aP60VhsvUBbXe+Qnao5yjOI31Mz
wTyWTt3Y2TkDk34Q3Z6pWa5rKiSx1U1G0m6AVSjSdIcnfT/WofSOCo87DgDAKFsD
2PgrTyFjnYfqJvqqxv2biNLuWwkihJKS70fa1KkO9pWkpK4cHJ7WU7dxUjjhYvHG
NXcYzNwN1/yAsQCEw8YE
=K9yx
-----END PGP SIGNATURE-----

More information about the liberationtech mailing list