Hmm: http://www.w3.org/TR/SRI/
*Subresource** Integrity* *W3C First Public Working Draft 18 March 2014* "This specification defines a mechanism by which user agents may verify that a fetched resource has been delivered without unexpected manipulation." On Mar 11, 2014 9:08 AM, "Eduardo Robles Elvira" <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > On 11/03/14 13:41, Steve Schultze wrote: > > Greetings all, > > > > A couple of years ago, I did some limited research on signed (but > > not encrypted) HTTP responses. I discovered that although it had > > been considered briefly by a few folks in the past, it never went > > anywhere. This continues to be surprising to me, given the ever > > increasing need to mirror content for a variety of reasons. Has > > anyone on the list thought about this? It seems that out community > > has a particularly strong case for such a thing. > > > > We sign software packages and emails. Why not http results? Ideally > > this would call for an IETF standard implemented in the major http > > servers, using certs already installed for https (if that is > > technically possible... I haven't thought through the crypto). > > > > Steve > > Hello: > > This has reminded me another feature that I find surprisingly missing: > why HTML does not allow to checksum external resources (css and > javascript files) so that when downloaded, the file is hashed and the > hash has to be matched? This is the only way I would trust CDNs, which > provide an otherwise quite useful service. This would be it more or less: > > <script > type="text/javascript" > src="//netdna.bootstrapcdn.com/js/bootstrap.min.js" > checksum="sha256://9a6a18e1719c987e5bc937abe"> > </script> > > Regards, > Eduardo > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.22 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iF4EAREIAAYFAlMfCCsACgkQqrnAQZhRnaoLhgD/TzQyzA014dE/5c+ItNMW88QC > 5PA4NNJo1H0MY/rB/lUBAOqc4Ykr+6zXnmkyVrl1UtOT1cd+6V3YVGaeWf9nxj3m > =ec9O > -----END PGP SIGNATURE----- > -- > Liberationtech is public & archives are searchable on Google. Violations > of list guidelines will get you moderated: > https://mailman.stanford.edu/mailman/listinfo/liberationtech. > Unsubscribe, change to digest, or change password by emailing moderator at > [email protected]. >
-- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
