Re: Signature Link Relation for Cryptographic Resource Verification from Safwat on 2015-12-09 (www-html@w3.org from December 2015)

From: Safwat <softwatt@gmx.com>
Date: Wed, 9 Dec 2015 13:29:14 +0200
To: "Sean B. Palmer" <sean@miscoranda.com>
Cc: www-html@w3.org
Message-ID: <5668108A.8040008@gmx.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 12/08/2015 05:42 PM, Sean B. Palmer wrote:
> https://www.ietf.org/id/draft-palmer-signature-link-relation-00.txt
>
> 
This draft has great potential if expanded.
I propose three additions. The rationale for each of them is explained
in the next section.

1 - Why limit this to PGP? Simple hashes like SHA1 should also be
possible.

2 - Inlining a checksum should be possible.
<a href="/download/example.tar.gz"
rels="signature-sha1 f572d396fae9206628714fb2ce00f72e94f2258f">
Click here to download</a>

3 - This should also work for <img> tags.
<img src="/static/hello.png"
rels="signature-sha1 f572d396fae9206628714fb2ce00f72e94f2258f">
Click here to download</a>

Rationale:

1 - SHA1 is shorter. Allowing compact inlining. This makes "2" feasible.

2 - Inlining means less page requests, this would allow signatures to
be used on multiple <img> tags without performance degradation. This
makes "3" feasible for websites with many images.

3, a - Websites often have images which are fetched from external
websites. Currently, these images are not verified at all, and the
external server can modify them at will. Adding this mechanism
resolves this.

3, b - Currently, https-encrypted sites which use external CDNs for
images must employ some certificate witchcraft. With this change,
https sites can safely link to images hosted in unencrypted servers.
Those images will be verified by the checksum. Of course, this
shouldn't be done for an image whose URL is supposed to be secret.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWaBCKAAoJENivoBfRYOGKW40QAJPOuMefsYLjOg3B7Wep3zWN
yxkh3K2OJgKiuKzljpQPJGmo7LsAjYCxV2MMjcGAI5NpoDNN+mhmI0M8WZPkFAqB
DhAGa1iaT4Zbz4zyCXPUtpmIhStf4gcv090ij+iJAceH3to9Ac6M4fz60pVEv+iR
/d0NgVPQKBRY4tsO5yKXKlz8BrUsg9YY/heENC41+M9UXW7rL3EtLlMMiKvT0XZw
YCbRGF2FmtQFA5DisL/2/k1qX1wAeRBXNG5hRkEGCFYj0Xm1uGziNsshj0jE19b+
1UTS8dM9HM0jl7IlfYjwrvO8rBArmW1PdQWYZFOA201qoplWvy7Wl2HZyqy1Wxrn
gJTToFoId4aKUNNyM2zkPLBHgYzQOyIQuN31bWzTwNeXuyY2ffeYSHVvu36pJVvP
rVGRoRDOvLXK6hpbcAMp0mhtbNf3ZPLX9sTFY9tPy3thIQW2M4SZNAld4H30Feab
PuxgKtH888LJxbthYXhxfvcQMP+3DxU9H8auFB7FDfaIdZVMlTo4On4IMfcJJzby
V8sncw8bQkcxmp4jgRBbq9jbJMVyDX8RsXA/tQFvBs5s2qmK8Gm4NrvtLgA2kQ/G
fRsrXIxKw/YAsbCjEZ++GJhNdyDYZv+ieDqZBBqmBISJqitPT9DdwJIzucaNzCeC
m2aNv4vdaKpVh4e1q0O/
=624t
-----END PGP SIGNATURE-----

Received on Wednesday, 9 December 2015 11:29:41 UTC