Nice that radiusnet is out there as a resource (++ for the link)-- they have a highly concentrated crypto site. However, you'd think they'd have a pointer or two to their own public keys... the 17 keys I got that matched 'radiusnet.net' from keys.pgp.com don't match the one used to sign the HTML page in question.
And sadly, they've basically shown how to embed the signature by hand in a very static HTML file... a method which requires the verifier to fiddle with the page in question. Even with their public key, I'd have to add some information to their HTML to get it to verify (and I'd be guessing to do that).
By subclassing CGI, I've managed to build methods that insert detached sigs into HTML comments to sign both text and images. I'm just polishing that up, and then I want to make a quickie to assist in batch process creating detached sigs (part of the way I would implement John's original idea-- since you'd be signing everything ahead of time). Then, of course, the fun part, building a utility to verify the signatures (since the data requires some handling to get it into GnuPG or PGP in a useful format). Once I get a basic set of tools together, I plan to post for review. :) | [reply] |
Interesting. He just points out that PGP sig verification will work just fine if you get the correct ascii armor header/footer lines in there. He puts the first inside an HTML comment and the latter inside a PRE.
So, stuff before and after the signed parts are not checked.
I don't plan, at its simplest, to do anything much more elaborate than that. But I'll have a Perl script to automate it.
—John | [reply] |