[liberationtech] Signed HTTP

[Patrick Schleizer]

Natanael:
> It would probably be as easy as using SSL with a "null cipher" with
> authentication like poly1305.

I preferred to sign the source files on my local hdd using a tool that
internally uses gpg. That way the SSL CA's wouldn't have any power over
it, neither the web server.

If we were to rely on web servers / SSL CA's for this, I wouldn’t see
the benefit in signing http.