W3C home > Mailing lists > Public > www-archive@w3.org > April 2008

Re: secure URLs

From: Dan Connolly <connolly@w3.org>
Date: Tue, 22 Apr 2008 09:22:07 +0800
Message-ID: <480D3DBF.303@w3.org>
To: Martin Uecker <muecker@gmx.de>
Cc: www-archive@w3.org

Martin Uecker wrote:
> Hi,
> 
> I have to ideas about URLs and don't know who to bug about it ;-)


These are both good ideas; I've seen some work on them and
would like to see more...

> 
> a thing I always missed are URLs which include certain security
> information. These URLs would come in two flavours:
> 
> One kind for static content where the URL contains
> a cryptographic hash of the destination. The client would then
> check the content against the hash and show an error if it
> doesn't match.

I don't recall where I've seen work on this.
One place is http://www.metalinker.org/ but that puts
the checksum in an XML data format, not within the URL itself.

> This would extend the common praxis of providing
> md5sums together URLs to binary content to guard against
> trojaned programs on compromised servers or against simple
> data corruption. Unfortunately, most people are to lazy to
> check this hashes manually. Including the hash into the URL
> and make this check automatically in the browser would make
> this kind of protection a simple default. Besides replacing
> this historical use of md5sums, this kind of protection is
> certainly usefull in a lot of different applications.
> 
> The other kind of URL would contain the fingerprint of a public key
> which could be used authentificate the destination.

See
http://www.waterken.com/dev/YURL/httpsy/

You might also talk with Tyler Close, the developer,
about barriers to adoption that he ran into.

> This could
> extend the usage of secure URLs to dynamic content. The client
> could then use these fingerprints to validate a signature on
> the page at the destination. Another possible application is
> to authentificate a SSL connection to the destination, providing
> a practical alternative to those useless SSL certificates.
> 
> 
> If there is already something like this, could somebody point
> me into the right direction?
> 
> 
> Cheers,
> Martin


-- 
Dan Connolly, W3C http://www.w3.org/People/Connolly/
Received on Tuesday, 22 April 2008 01:22:44 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 7 November 2012 14:18:14 GMT