[liberationtech] Signed HTTP
Steve Schultze
sjschultze at gmail.com
Wed Mar 19 04:42:02 PDT 2014
Hmm: http://www.w3.org/TR/SRI/
*Subresource** Integrity*
*W3C First Public Working Draft 18 March 2014*
"This specification defines a mechanism by which user agents may verify
that a fetched resource has been delivered without unexpected manipulation."
On Mar 11, 2014 9:08 AM, "Eduardo Robles Elvira" <edulix at gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 11/03/14 13:41, Steve Schultze wrote:
> > Greetings all,
> >
> > A couple of years ago, I did some limited research on signed (but
> > not encrypted) HTTP responses. I discovered that although it had
> > been considered briefly by a few folks in the past, it never went
> > anywhere. This continues to be surprising to me, given the ever
> > increasing need to mirror content for a variety of reasons. Has
> > anyone on the list thought about this? It seems that out community
> > has a particularly strong case for such a thing.
> >
> > We sign software packages and emails. Why not http results? Ideally
> > this would call for an IETF standard implemented in the major http
> > servers, using certs already installed for https (if that is
> > technically possible... I haven't thought through the crypto).
> >
> > Steve
>
> Hello:
>
> This has reminded me another feature that I find surprisingly missing:
> why HTML does not allow to checksum external resources (css and
> javascript files) so that when downloaded, the file is hashed and the
> hash has to be matched? This is the only way I would trust CDNs, which
> provide an otherwise quite useful service. This would be it more or less:
>
> <script
> type="text/javascript"
> src="//netdna.bootstrapcdn.com/js/bootstrap.min.js"
> checksum="sha256://9a6a18e1719c987e5bc937abe">
> </script>
>
> Regards,
> Eduardo
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iF4EAREIAAYFAlMfCCsACgkQqrnAQZhRnaoLhgD/TzQyzA014dE/5c+ItNMW88QC
> 5PA4NNJo1H0MY/rB/lUBAOqc4Ykr+6zXnmkyVrl1UtOT1cd+6V3YVGaeWf9nxj3m
> =ec9O
> -----END PGP SIGNATURE-----
> --
> Liberationtech is public & archives are searchable on Google. Violations
> of list guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> Unsubscribe, change to digest, or change password by emailing moderator at
> companys at stanford.edu.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140319/91e78601/attachment.html>
More information about the liberationtech
mailing list