Steve Schultze: > Greetings all, > > A couple of years ago, I did some limited research on signed (but not > encrypted) HTTP responses. I discovered that although it had been > considered briefly by a few folks in the past, it never went anywhere. This > continues to be surprising to me, given the ever increasing need to mirror > content for a variety of reasons. Has anyone on the list thought about > this? It seems that out community has a particularly strong case for such a > thing. > > We sign software packages and emails. Why not http results? Ideally this > would call for an IETF standard implemented in the major http servers, > using certs already installed for https (if that is technically > possible... I haven't thought through the crypto). > > Steve
As said, I preferred to sign my websites locally with gpg. Problem is, nowadays we're all using fancy web applications (mediawiki, wordpress, etc.) and the html is dynamically created on the server. There is PGPHTML [1], but there are licensing problems. [2] Signed content also should require re-singing after a configurable amount of time to prevent downgrade and permanent freeze attacks (replaying previously released, old signed messages). (A valid-until field similar to [3].) And while we're add it, why not support gpg encrypted http as well? Websites, which would only be available to those who have the required private keys to read it. [1] http://www.sanface.com/pgphtml.html [2] https://www.whonix.org/wiki/Dev/OpenPGP_Signed_Website#cite_note-2 [3] http://blog.ganneff.de/blog/2008/09/23/valid-until-field-in-release-f.html -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
