-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
When we were putting together ideas for DDeflect we considered this as it would solve many problems. Apparently it's been proposed, and rejected, before ? http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2012-October/037668.html Perhaps in these new times it would be worth raising again. David On 14-03-11 08:57 AM, Eduardo Robles Elvira wrote: > On 11/03/14 13:41, Steve Schultze wrote: > > Greetings all, > > > A couple of years ago, I did some limited research on signed (but > > not encrypted) HTTP responses. I discovered that although it had > > been considered briefly by a few folks in the past, it never went > > anywhere. This continues to be surprising to me, given the ever > > increasing need to mirror content for a variety of reasons. Has > > anyone on the list thought about this? It seems that out community > > has a particularly strong case for such a thing. > > > We sign software packages and emails. Why not http results? Ideally > > this would call for an IETF standard implemented in the major http > > servers, using certs already installed for https (if that is > > technically possible... I haven't thought through the crypto). > > > Steve > > Hello: > > This has reminded me another feature that I find surprisingly missing: > why HTML does not allow to checksum external resources (css and > javascript files) so that when downloaded, the file is hashed and the > hash has to be matched? This is the only way I would trust CDNs, which > provide an otherwise quite useful service. This would be it more or less: > > <script > type="text/javascript" > src="//netdna.bootstrapcdn.com/js/bootstrap.min.js" > checksum="sha256://9a6a18e1719c987e5bc937abe"> > </script> > > Regards, > Eduardo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTHw3xAAoJEG30t3OWfLLJMYgQALlPLyHOKAUmB0Ztg87o0lP8 2oEO9ID1is5kHL7Et/OLPKxcDaHsipSF9MX1eQbWksw+60kjRQbSDP31XMcLHc74 bcjQ0KF0Rz+gcPWJB+igXvJctUDyLPPX9xh/HDk2C0unPU6R1vdClzlqK+yzN94C 869tZXP8JXaHMGJ+OQKTfFNrfqvxNfC8/OG9dzJg1xRiTYccCkxGuOAHNePN93T/ /KRwasPACv6r2uSfPy9VPYUcYpDMMesfaTSuwbpqe5bQ8m/HNj1iNWClJLxq5WMb 9ENBy5jNooBdtqfsfp3IUHcqZ66YLe2mZTDw2apZmQ8ES+JGiQc8lvzWWkrB6Vvd TnjLmN31QTIc5WQ69QSJhzMKfU1/bNVrBKl9rmdMowyFSjaPOr+vQMSxuMDTv77O ++3EUdY+JsmuWGO9TANSfk6VJW52q2eVmj0WPG7UTqcVRWFLcWrThbbUvxmmhALb 1i+ygMENcFNiFxSN+sSCcPKga/YTlWz8aDrT2aP60VhsvUBbXe+Qnao5yjOI31Mz wTyWTt3Y2TkDk34Q3Z6pWa5rKiSx1U1G0m6AVSjSdIcnfT/WofSOCo87DgDAKFsD 2PgrTyFjnYfqJvqqxv2biNLuWwkihJKS70fa1KkO9pWkpK4cHJ7WU7dxUjjhYvHG NXcYzNwN1/yAsQCEw8YE =K9yx -----END PGP SIGNATURE----- -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
