W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2007

Standardizing Firefox's Implementation of Link Fingerprints

From: Edward Lee <edilee@mozilla.com>
Date: Mon, 2 Jul 2007 16:21:16 -0700
Message-ID: <dc07ed930707021621v75c2d36dneb08b433dc3c44f0@mail.gmail.com>
To: ietf-http-wg@w3.org

For Firefox 3, there are patches [1] that implement Link Fingerprints,
which provide automatic resource verification for URIs that look like
http://site.com/file#hash(sha256:abc123) so that link providers can be
sure that end users download the exact file that the provider intended
(and not a trojaned download).

The fragment identifier portion of the URI is used for backwards
compatibility with existing clients while allowing for extended usage
across protocols (e.g., http, ftp) and resource contexts (e.g., a
href, img src). Additionally, fragment identifiers are not sent as
part of a HTTP request, so the network and servers do not need to be
changed. With the backwards compatibility, incremental deployment is
feasible with some clients supporting Link Fingerprints, and end users
don't need to do anything unless there's a fingerprint failure.

This is not the same as the Content-MD5 header because that hash is
generated by the server providing the file, while the Link Fingerprint
would be provided by the link provider. This is especially useful for
mirroring files, so that the centralized site providing links can be
kept more secure while less secure mirrors can host the file.

An initial draft to standardize Link Fingerprints is available online..

https://people.mozilla.com/~edilee/draft-lee-uri-linkfingerprints-00.txt

Feedback is welcome about the design, syntax, supported hashes,
failure cases, etc.

Ed

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=377245
Received on Monday, 2 July 2007 23:21:20 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:15 GMT