embedding public-key cryptography into HTML

Philip Trauring (philip@cs.brandeis.edu)
Thu, 6 Apr 95 15:17:39 EDT

I sent the below message to a member of the working group at the beginning
of this week but have not received any response pertaining to it yet so I
have decided to just send it to the html-wg list. I would appreciate it if
someone could e-mail me and let me know how to subscribe to the html-wg
list as I tried sending a listserv command and it did not work. The below
proposal is my first draft on how to implement public-key encryption into
HTML so you can document level authentication as well as the point-to-point
authentication offered by SSL and SHTTP. One interesting extension to this
not covered is the use of embedded mailto: tags which several people have
mentioned to me as I have garnered support for this proposal.

----------------------------------------------------------------------------
I am not up on the exact requirements for a DTD but I'd like to give a
preliminary one to the working group and ask you to please let me know what
I need to add to make it complete. The encryption tags as I see it would
work something like:

<CRYPT form=PGP role=text>
<CRYPT form=PGP role=key>

<SIGN form=PGP role=text>
<SIGN form=PGP role=signature>

where the PGP form could be PEM or other encryption tools as well. Each
form could be defined in the MIME application list and the encrypted text
or signed text will be passed on to the encryption application for
processing. I'm not sure what the standard is on how the end-tags work so
I'm not sure if you need more than one </CRYPT> for each pair.

i.e.
<SIGN form=PGP role=text>
This is the signed text. This is the signed text. This is the signed text.
This is the signed text. This is the signed text. This is the signed text.
This is the signed text. This is the signed text. This is the signed text.
This is the signed text. This is the signed text. This is the signed text.
This is the
<SIGN form=PGP role=signature>
This is the signature. This is the signature. This is the signature. This
is the signature. This is the signature. This is the signature. This is the
signature.
</SIGN>

would be a simple conversion of the format PGP uses to a HTML-tag compliant
one. Notice it does not need a second end-tag. If HTML does require a
second end-tag then I suppose it would just be added to the end.

The browser software would load the encryption software which will be
modified to recognize these tags and launch the appropriate encryption
program to process and return either the decrypted text or the signature
name, depending on what it was sent. The signature name could then be
displayed somewhere in the window, perhaps in the header bar or along the
bottom bar. If the verification process fails the browser would annouce
that to the user.

I hope this is okay for a preliminary draft. Please let me know what the
working group thinks.

BTW, a possible alternate set of tags could be:

<CRYPT form=PGP role=cyphertext>
<CRYPT form=PGP role=key>

<CRYPT form=PGP role=signed>
<CRYPT form=PGP role=signature>

which would use only one new tag but require more settings.

Philip Trauring

--=--=====--=--=====--=--=====--=--=====--=--=====--=--=====--=--=====--=--
Philip Trauring philip@cs.brandeis.edu
Brandeis University MB1001
P.O. Box 9110 "knowledge is my addiction,
Waltham, Ma 02254-9110 information is my drug."
(617) 736-5282 ['94/95]

WWW home page: http://www.cs.brandeis.edu/~philip/home.html
--=--=====--=--=====--=--=====--=--=====--=--=====--=--=====--=--=====--=--