W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2012

Re: [whatwg] checksum attribute in a href tag

From: Ian Hickson <ian@hixie.ch>
Date: Fri, 19 Oct 2012 16:49:01 +0000 (UTC)
To: "A. Rauschenbach" <rauschenbach@annuo.de>
Message-ID: <Pine.LNX.4.64.1210191637050.2471@ps20323.dreamhostps.com>
Cc: Whatwg <whatwg@whatwg.org>
On Fri, 19 Oct 2012, A. Rauschenbach wrote:
> 
> I'm sick of coping the checksum of important files by hand or QR-code to 
> the download manager or console.
> 
> To solve the problem I suggest a checksum attribute in the <a href> tag.
> 
> example: <a href="http://example.com/important.file"
> checksum="MD5:32c3675211199b671fbca1304d819289;SHA1:6e1ddeede3979c953788a3499616af35ee5fd772">download</a>
> 
> Another advantage is that your visitors (browser) can verify that the 
> document (e.g. a pdf) you linked to is still the same.

What is the attack scenario you are trying to avoid?

Without a discussion of what problem you're trying to solve, it's unclear 
how to evaluate the proposal.

The idea of a hash="" or checksum="" attribute on <a href> has come up 
before -- about once a year, as far as I can tell! -- but it's always been 
found lacking in one way or another.

e.g.: 
   http://lists.w3.org/Archives/Public/public-whatwg-archive/2006Nov/thread.html#msg233
   http://lists.w3.org/Archives/Public/public-whatwg-archive/2007Jul/0049.html
   http://lists.w3.org/Archives/Public/public-whatwg-archive/2008Dec/0376.html

(in the third one, search for "fingerprint".)

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 19 October 2012 16:49:33 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:11 GMT