On Tue, Mar 11, 2014 at 12:37 PM, Patrick Schleizer <[email protected]> wrote: > Natanael: >> It would probably be as easy as using SSL with a "null cipher" with >> authentication like poly1305. > > I preferred to sign the source files on my local hdd using a tool that > internally uses gpg. That way the SSL CA's wouldn't have any power over > it, neither the web server. > > If we were to rely on web servers / SSL CA's for this, I wouldn’t see > the benefit in signing http.
Please be very careful not to conflate signatures and authentication. SSL and null cipher with auth would provide authentication but not signatures. Signatures provide non-reputation, which is very useful in some contexts, and somewhat harmful in others. There are applications where non-reputation of web-page data would be quite useful. Esp if it can be extracted from inside the encryption. I'm mostly drawing a blank on why you'd want authentication without encryption, however, encryption is cheap. -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
