-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 11/03/14 13:41, Steve Schultze wrote: > Greetings all, > > A couple of years ago, I did some limited research on signed (but > not encrypted) HTTP responses. I discovered that although it had > been considered briefly by a few folks in the past, it never went > anywhere. This continues to be surprising to me, given the ever > increasing need to mirror content for a variety of reasons. Has > anyone on the list thought about this? It seems that out community > has a particularly strong case for such a thing. > > We sign software packages and emails. Why not http results? Ideally > this would call for an IETF standard implemented in the major http > servers, using certs already installed for https (if that is > technically possible... I haven't thought through the crypto). > > Steve
Hello: This has reminded me another feature that I find surprisingly missing: why HTML does not allow to checksum external resources (css and javascript files) so that when downloaded, the file is hashed and the hash has to be matched? This is the only way I would trust CDNs, which provide an otherwise quite useful service. This would be it more or less: <script type="text/javascript" src="//netdna.bootstrapcdn.com/js/bootstrap.min.js" checksum="sha256://9a6a18e1719c987e5bc937abe"> </script> Regards, Eduardo -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlMfCCsACgkQqrnAQZhRnaoLhgD/TzQyzA014dE/5c+ItNMW88QC 5PA4NNJo1H0MY/rB/lUBAOqc4Ykr+6zXnmkyVrl1UtOT1cd+6V3YVGaeWf9nxj3m =ec9O -----END PGP SIGNATURE----- -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
