Signed and cached - BlueSkyDreaming was Re: Include CSS in emails

This topic is in teh realms of wishful thinking for the future, so I'll  
let it sit after this and get on with work useful for today. But…

On Thu, 06 Feb 2014 11:49:46 +0400, Neil Jenkins <neilj@fastmail.fm> wrote:

> On Thu, 6 Feb 2014, at 06:43 PM, Charles McCathie Nevile wrote:

>> On the other hand, the combination of discussions about sanitising
>> CSS, and signing Javascript for inclusion, makes me wonder if there is
>> any value in having links to known (signed), sanitised CSS.
>
> Known to whom? Signed and verified how? Trusted why? What standard of
> sanitisation? What if different services (for some reason) require
> different things to be sanitised to avoid conflicts? Not saying this
> isn't an interesting idea, but there're a lot of difficulties to
> overcome to make it work (and, of course, you still have the whole issue
> of tracking with *any* remote content).

The rough thing I am thinking is that different email systems will have  
different cleaning rules. But if a stylesheet can be checked, e.g. by  
passing it through the fantasy services fastmail.fm/styleChecker and  
mail.yandex.ru/FilterStyleBugs and gmail.com/CompromisedStyleScrubber and  
so on, the acme broadsheet company, who sends me email every 3 days, could  
publish the signed version of their style sheet, and various providers  
would only have to check the signature to know they have approved the  
content.

This could actually enable reduced tracking - I could rely on my provider  
(who already knows where my email comes from) to enrich the content  
without overly identifying me. At least in the case of fastmail, yandex,  
etc, who have a lot of customers. Anonymity might not work so well in my  
account on chaals.com - although if fastmail were handling that, they  
could make the request as fastmail and effectively anonymise me.

On the other hand, reduced tracking often enables reduced value - in  
today's internet identity is the currency we often pay for services. There  
is a separate idea going around this group about whether there are methods  
of tracking that are reliable and allow for users to opt out.

Anyway, enough of the idea for now - back to work on the more boring  
practical stuff...

cheers

Chaals

-- 
Charles McCathie Nevile - Consultant (web standards) CTO Office, Yandex
       chaals@yandex-team.ru         Find more at http://yandex.com

Received on Thursday, 6 February 2014 11:02:26 UTC