- From: Michel Fortin <michel.fortin@michelf.com>
- Date: Tue, 14 Nov 2006 11:53:43 -0500
Le 13 nov. 2006 ? 1:39, ryan king a ?crit : > On Nov 8, 2006, at 8:28 AM, Ian Hickson wrote: > >> Given the various mechanisms that already exist to do this, it >> seems like >> adding yet another one would be a bad idea. > > I concur. If people are already using these technologies, we could > learn from their usage and find ways to improve the technology. If > they aren't being used widely, it would be wise to question whether > there is demand for this functionality. I'm sure there is demand. A lot of software download pages already give you MD5 or SHA-1 digests values to check the validity of the downloaded file, but it's trouble to check them manually and people rarely do so. I see only two mechanisms that do what the hash attribute would do: it's the hash microformat[1] and link fingerprints[2]. All others require either special URIs schemes[2] which won't work in today's browsers, or are attached directly to the file, like the md5-digest HTTP header, which means that a tampered file is very likely to get its digest updated accordingly. [1]: http://microformats.org/wiki/hash-examples [2]: http://mdhashtool.mozdev.org/lfinfo.html [3]: http://magnet-uri.sourceforge.net/ I'm beginning to think that the link "fingerprint" method is best solution because the hash is more portable as part of the URL. I could for instance copy a fingerprinted URL right into this email: http://example.com/file#!md5!b3187253c1667fac7d20bb762ad53967 and a knowledgeable browser receiving this URL would know how to check the validity of the received document. The two concerns I have with it is that it somewhat distorts the concept of a fragment identifier, and it's generally going to be lost if there is any redirection (although a browser that knows about fingerprints could keep them across redirections). Michel Fortin michel.fortin at michelf.com http://www.michelf.com/
Received on Tuesday, 14 November 2006 08:53:43 UTC