- From: Edward Lee <edilee@mozilla.com>
- Date: Mon, 2 Jul 2007 16:21:16 -0700
- To: ietf-http-wg@w3.org
For Firefox 3, there are patches [1] that implement Link Fingerprints, which provide automatic resource verification for URIs that look like http://site.com/file#hash(sha256:abc123) so that link providers can be sure that end users download the exact file that the provider intended (and not a trojaned download). The fragment identifier portion of the URI is used for backwards compatibility with existing clients while allowing for extended usage across protocols (e.g., http, ftp) and resource contexts (e.g., a href, img src). Additionally, fragment identifiers are not sent as part of a HTTP request, so the network and servers do not need to be changed. With the backwards compatibility, incremental deployment is feasible with some clients supporting Link Fingerprints, and end users don't need to do anything unless there's a fingerprint failure. This is not the same as the Content-MD5 header because that hash is generated by the server providing the file, while the Link Fingerprint would be provided by the link provider. This is especially useful for mirroring files, so that the centralized site providing links can be kept more secure while less secure mirrors can host the file. An initial draft to standardize Link Fingerprints is available online.. https://people.mozilla.com/~edilee/draft-lee-uri-linkfingerprints-00.txt Feedback is welcome about the design, syntax, supported hashes, failure cases, etc. Ed [1] https://bugzilla.mozilla.org/show_bug.cgi?id=377245
Received on Monday, 2 July 2007 23:21:20 UTC