Re: signature/encryption tags -> follow-up

Amanda Walker (amanda@intercon.com)
Tue, 11 Apr 95 10:27:29 EDT

> Your scenario does not allow multiple-segment files.

Not necessarily. You could, for example, use the MIME Object Security Service
within HTTP. I agree with others who are saying the security services you
propose belong at this level rather than within HTML itself.

> It is a simple matter to call out to the external program to do
> the calculations.

Sometimes. Is this the voice of experience (i.e., have you written a browser
that does it?) or is it just something you think is "obvious"? Our browser
does not depend on "helper applications," and I have no intent to start any
time soon...

> By implemenating the form=???? comment in the <SIGN>
> tag you can create definition files for the encryption programs so
> the HTML file can use whatever format it wants.

Why not take advantage of work that's already been done (the PEM working
group's work on MIME Object Security Services, for example)? Let's not
reinvent wheels we don't have to :)...

> Integrating a signature tag is the only way to provide real
> document-level security in WWW documents.

The class "WWW document" is not necessarily restricted to HTML, though. By
providing MIME-based signature and encryption at the HTTP level, you gain
document-level (actually, body-part level) security for any document accessed
via HTTP, without having to invent yet another cryptographic representation.

Amanda Walker
InterCon Systems Corporation