Martin Uecker wrote:
Hi,
I have to ideas about URLs and don't know who to bug about it ;-)
These are both good ideas; I've seen some work on them and
would like to see more...
a thing I always missed are URLs which include certain security
information. These URLs would come in two flavours:
One kind for static content where the URL contains
a cryptographic hash of the destination. The client would then
check the content against the hash and show an error if it
doesn't match.
I don't recall where I've seen work on this.
One place is http://www.metalinker.org/ but that puts
the checksum in an XML data format, not within the URL itself.
This would extend the common praxis of providing
md5sums together URLs to binary content to guard against
trojaned programs on compromised servers or against simple
data corruption. Unfortunately, most people are to lazy to
check this hashes manually. Including the hash into the URL
and make this check automatically in the browser would make
this kind of protection a simple default. Besides replacing
this historical use of md5sums, this kind of protection is
certainly usefull in a lot of different applications.
The other kind of URL would contain the fingerprint of a public key
which could be used authentificate the destination.
See
http://www.waterken.com/dev/YURL/httpsy/
You might also talk with Tyler Close, the developer,
about barriers to adoption that he ran into.
This could
extend the usage of secure URLs to dynamic content. The client
could then use these fingerprints to validate a signature on
the page at the destination. Another possible application is
to authentificate a SSL connection to the destination, providing
a practical alternative to those useless SSL certificates.
If there is already something like this, could somebody point
me into the right direction?
Cheers,
Martin
--
Dan Connolly, W3C http://www.w3.org/People/Connolly/
