[liberationtech] Signed HTTP

[Natanael]

Den 11 mar 2014 20:42 skrev "Gregory Maxwell" <gmaxwell at gmail.com>:
>
> On Tue, Mar 11, 2014 at 12:37 PM, Patrick Schleizer
> <adrelanos at riseup.net> wrote:
> > Natanael:
> >> It would probably be as easy as using SSL with a "null cipher" with
> >> authentication like poly1305.
> >
> > I preferred to sign the source files on my local hdd using a tool that
> > internally uses gpg. That way the SSL CA's wouldn't have any power over
> > it, neither the web server.
> >
> > If we were to rely on web servers / SSL CA's for this, I wouldn’t see
> > the benefit in signing http.
>
> Please be very careful not to conflate signatures and authentication.
>
> SSL and null cipher with auth would provide authentication but not
signatures.
>
> Signatures provide non-reputation, which is very useful in some
> contexts, and somewhat harmful in others.
>
> There are applications where non-reputation of web-page data would be
> quite useful. Esp if it can be extracted from inside the encryption.
>
> I'm mostly drawing a blank on why you'd want authentication without
> encryption, however, encryption is cheap.

Usually the reason for authentication without encryption is caching, like
for popular YouTube videos or maybe software upgrades from a repository.

Also, there's no reason to complain about CA:s in this context either,
simply for the reason that Monkeysphere exists. You can use GPG already,
plugged in to replace the standard certificates and authentication. There's
a browser plugin for it, and a tool to use it with SSH, and more. Then you
can set up your own trust system and have your authenticated unencrypted
connection.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140311/2ef13eed/attachment.html>