in reply to (ichimunki) Re: Digital Signatures on Web Pages
in thread Digital Signatures on Web Pages

Update: misread ichimmunk's comment. Sorry :(

Better would be a signed text file containing the approved MD5 or SHA1 hashes for the downloadable files or libraries.

In my original post, I said that downloadable files are so-signed. But how does the downloader know that it was signed by the right person? Seeing the same sig identity in other places establishes knowledge of that person. That's the whole point of doing this.

Besides having an external sig file for the whole page, here's a couple reasons why it would be nice to sign just parts of a page:

Consider signing the "script" that's embedded in a HTML file. I was also thinking of putting together parts into a single presented page, where each part is already signed. For example, public statements and contact info.

If HTML is dynamically generated, such quoted blocks, like "send payment to..." could have sig's built-into the template. —John

  • Comment on Re: (ichimunki) Re: Digital Signatures on Web Pages

Replies are listed 'Best First'.
(ichimunki) Re x 3: Digital Signatures on Web Pages
by ichimunki (Priest) on Sep 21, 2001 at 23:49 UTC
    that doesn't mean it makes no sense

    That's why I said it did make sense. :)

    If you have pieces of a web-page that are static so that they can be signed, it's a great idea. I'd love to see an application that helped verify embedded signatures in HTML from places like PM, where it would be nice to verify that a user is the same user from elsewhere based on their signature.

    But how does the downloader know that it was signed by the right person?

    The same way they'd know if the file itself was signed correctly.

    It's an intriguing notion, it would be fun (and potentially useful) to have a web page that had IMG tags that had a signature attribute and the browser would note whether the image was signed or not. Or would do the work of detecting any signed element and validating it-- good suggestion. Is there something in the HTML spec that allows for this, or would we simply use a comment field?

    The real fun is how to sign the image (or other binary file) outside the web page without altering the image file (so that non-compliant viewer programs could still display the image). And that's what I was thinking of with the signed hash file. You can caption the image (as part of the image) with a pointer to a signed hash file, hash the new image, put the hash in the hash file, sign the file, and distribute that file. If a version of the image is found that doesn't have a matching hash to the one in the file, the image has been altered. But I suppose this is redundant, you could just put a bunch of detached sigs in the file, eh?

[reply]
      The real fun is how to sign the image (or other binary file) outside the web page without altering the image file (so that non-compliant viewer programs could still display the image).

      Some graphics formats allow comments, e.g. gif

      I suppose if you wanted to get really fun, you could mess with the least significant bits.

      andy.

[reply]
        mess with the least significant bits

        I thought about that too, but then you are fiddling around with the exact data you are attempting to hash.... I suppose you could make a hash from all the bits *excluding* those reserved for storing the hash, but that sounds quite hairy.

        -Blake

[reply]

In Section Cool Uses for Perl