- From: Dan Connolly <connolly@w3.org>
- Date: Tue, 22 Apr 2008 09:22:07 +0800
- To: Martin Uecker <muecker@gmx.de>
- Cc: www-archive@w3.org
Martin Uecker wrote: > Hi, > > I have to ideas about URLs and don't know who to bug about it ;-) These are both good ideas; I've seen some work on them and would like to see more... > > a thing I always missed are URLs which include certain security > information. These URLs would come in two flavours: > > One kind for static content where the URL contains > a cryptographic hash of the destination. The client would then > check the content against the hash and show an error if it > doesn't match. I don't recall where I've seen work on this. One place is http://www.metalinker.org/ but that puts the checksum in an XML data format, not within the URL itself. > This would extend the common praxis of providing > md5sums together URLs to binary content to guard against > trojaned programs on compromised servers or against simple > data corruption. Unfortunately, most people are to lazy to > check this hashes manually. Including the hash into the URL > and make this check automatically in the browser would make > this kind of protection a simple default. Besides replacing > this historical use of md5sums, this kind of protection is > certainly usefull in a lot of different applications. > > The other kind of URL would contain the fingerprint of a public key > which could be used authentificate the destination. See http://www.waterken.com/dev/YURL/httpsy/ You might also talk with Tyler Close, the developer, about barriers to adoption that he ran into. > This could > extend the usage of secure URLs to dynamic content. The client > could then use these fingerprints to validate a signature on > the page at the destination. Another possible application is > to authentificate a SSL connection to the destination, providing > a practical alternative to those useless SSL certificates. > > > If there is already something like this, could somebody point > me into the right direction? > > > Cheers, > Martin -- Dan Connolly, W3C http://www.w3.org/People/Connolly/
Received on Tuesday, 22 April 2008 01:22:44 UTC