W3C home > Mailing lists > Public > www-html@w3.org > December 2015

Re: Signature Link Relation for Cryptographic Resource Verification

From: Safwat Halaby <softwatt@gmx.com>
Date: Wed, 9 Dec 2015 13:48:55 +0200
To: "Sean B. Palmer" <sean@miscoranda.com>
Cc: www-html@w3.org
Message-ID: <56681527.1060306@gmx.com>


Some further elaboration:

Regarding SHA1: Download links often work under the assumption that the
local (ideally https-encrypted) site is secure, since it is controlled
by the same person who is offering the download link, while the external
download server is considered untrusted. In such cases, there's often a
checksum and not a fully-fledged PGP signature.
Currently, while some downloads include a digital signature, others just
use a hash. There isn't a reason not to support both methods.

Regarding images and UX: An image with a failed checksum should probably
not be displayed (and perhaps display a warning). An image with a
successful checksum should display normally.

Regarding regular downloads and UX: If it's a signature, showing
signature information makes sense. If it's a simple checksum and the
check succeeds, the download simply proceeds transparently without
displaying any cryptographic info. If the check fails, an error is shown.
Received on Wednesday, 9 December 2015 11:49:19 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 9 December 2015 11:49:19 UTC