|Keep It Simple, Stupid|
Digital Signatures on Web Pagesby John M. Dlugosz (Monsignor)
|on Sep 21, 2001 at 00:34 UTC||Need Help??|
This started out as a Perl topic: I thought a good use for btrott's new OpenPGP module would be a Perl script that signs and verifies signatures on web pages
I thought about signing web pages so that the documentation and other information posted on the site is tied with the digital signature on the code. I thought about that after a CB discussion about a new virus, where a file name that's of a real file is in the wrong place. Signing our EXE's and DLL's would cut that out.
So, how does someone downloading my library know that it's signed by me, not just signed by anyone who figures out how to run PGP and type a name? Because the same signature is used in other places, so the consumer "gets to know" that person.
So, I figured it would be a fairly simple task: run the text of the HTML file (after filtering out the sig line itself) through Crypt::OpenPGP in text mode, and stick the result in a META tag or PICS field or something.
Simple, right? So why hasn't it already been done? I did a search for existing standards, and found XML signatures and signing of PICS tags, but not signing of HTML documents or portions therof.
So, is there such a thing already that you've heard of?
Another idea is to generate a standalone sig file, and either use a naming convention (foo.html belongs with foo.html.sig) or a link on your page to it, or both. No "standards" needed, no special tools either. Just run all your files through PGP generating detached sigs, and provide those on your site as well.
Any thoughts, anyone?