[liberationtech] Signed HTTP
Gregory Maxwell
gmaxwell at gmail.com
Tue Mar 11 12:42:37 PDT 2014
On Tue, Mar 11, 2014 at 12:37 PM, Patrick Schleizer
<adrelanos at riseup.net> wrote:
> Natanael:
>> It would probably be as easy as using SSL with a "null cipher" with
>> authentication like poly1305.
>
> I preferred to sign the source files on my local hdd using a tool that
> internally uses gpg. That way the SSL CA's wouldn't have any power over
> it, neither the web server.
>
> If we were to rely on web servers / SSL CA's for this, I wouldn’t see
> the benefit in signing http.
Please be very careful not to conflate signatures and authentication.
SSL and null cipher with auth would provide authentication but not signatures.
Signatures provide non-reputation, which is very useful in some
contexts, and somewhat harmful in others.
There are applications where non-reputation of web-page data would be
quite useful. Esp if it can be extracted from inside the encryption.
I'm mostly drawing a blank on why you'd want authentication without
encryption, however, encryption is cheap.
More information about the liberationtech
mailing list