Re: signature/encryption tags -> follow-up

Albert Lunde (Albert-Lunde@nwu.edu)
Tue, 11 Apr 95 00:56:54 EDT

> >On Mon, 10 Apr 1995, Philip Trauring wrote:
> >> Integrating a signature tag is the only way to provide real document-level
> >> security in WWW documents.
[...]
> What I meant was that within the framework of HTML it is the only way to do
> it. Implemnting this functionality outside of HTML proper is possible, but
> it is more complicated for the user and harder for the document author to
> create signed documents.
>
> Also, I don't know what you mean by 'create an implementation' that's why I
> posted a request for more information on how to proceed. Is there really
> any way to test it before browsers implement the functionality?

I really think you should look hard at S-HTTP before re-inventing
the wheel. I took another peek at the S-HTTP 1.1 draft, and it has
all the mechanism for signatures and/or encryption, using a number
of schemes including PGP and PEM. The only question seems to be
if one can make "stand-alone" signed documents; the fact that it
allows a secure message to be encapsulated inside another set
of RFC822 style headers suggests this is not futile. Also the
efforts to integerate PEM with MIME may be significatant.

On the other hand, I'm skeptical about efforts to "sign" readable
HTML markup, in an unencoded form, in particular because of
the problems that changes in end-of-line representation and
character encoding changes might produce as the resulting text
is passed around. It seems to me that something like MIME QP,
or base64 encoding would be required to get a consistent signature
or else you'd have to be extra careful about defining a
cannonical form for the text.

The HTTP/HTML specifications are intentionally somewhat lax about this.

(Also, I think this issue belongs on the www-security list.)

-- 
    Albert Lunde                      Albert-Lunde@nwu.edu