Re: signature/encryption tags -> follow-up

Christian Mogensen (mogens@CS.Stanford.EDU)
Mon, 10 Apr 95 21:56:16 EDT

Have you checked out the www-security archives?

To be frank, I doubt you will get much crypto support into HTML 2 or 3,
since the current focus is to finish 2.0 and start working on the big issues
in 3.0 , such as Maths and table support, not to mention character set

The security group is dealing with the issues you are discussing.

Ah - *idea* - you could store fragment signatures and other cryptographic
data external to the HTML document by using named ranges as proposed in
the HTML 3.0 - i.e. having a signature for a section named using the MARK
and RANGE tags. (I'm inventing the Signature HTTP header here).

Content-type: text/html; version=3.0
Content-encoding: binary
Signature: id0; dn=""; pgp="arfle-barfle-gloop"
Signature: id1, dn="my RSA sanctioned name"; pem="base64-encoded-signature"

<MARK RANGE=id0 START=id_a END=id_b>
<MARK ID=id_a>
signed section
<MARK ID=id_b>

The user agent computes the signature using its own keyring (or fetches the
appropriate key using some defined mechanism (did you see a handwave? I saw
no handwave!) ) and checks it against the s-http encapsulated header.