From shaddack@ns.arachne.cz Sat Nov 22 09:09:18 2003
From: Thomas Shaddack <shaddack@ns.arachne.cz>
To: cypherpunks-legacy@lists.cpunks.org
Subject: Idea: GPG signatures within HTML
Date: Sat, 22 Nov 2003 09:09:18 +0000
Message-ID: <0311221436180.-1216855884@somehost.domainz.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8719914484801491869=="

--===============8719914484801491869==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

Sometimes a problem appears with publishing information on the Web, when
the authenticity of document, especially a widely-distributed one, has to
be checked. I am not aware about any mechanism available presently.

A trick with HTML (or SGML in general) tag and a comment, a browser plugin
(or manual operation over saved source), and a GPG signature over part of
the HTML file should do the job, with maintaining full backward
compatibility and no problems for the users not using this scheme.

It should be possible to make this HTML construction:


<HTML>
<BODY>
blah blah blah blah blah unsigned irrelevant part of the document, eg.
headers and sidebars which change with the site design
<SIGNED SCHEME="GPG"><!--
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

--!>
This is the PGP-signed part
of the HTML document.
<!--

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.1.91 (MingW32) - GPGrelay v0.893

ihas7Ds9fXLR9ksWRdwNZXNA8SdshwAJ9zwXFDgvdg5G2mqXp5BD4Sx2ZmjwCfSs70
Kj8sQor6i+MUZBmp5pdM1vU=
=hIsR
-----END PGP SIGNATURE-----
--!></SIGNED>
the unsigned rest of the HTML document
</BODY></HTML>


The <SIGNED>...</SIGNED> tags are ignored by browsers that don't know
them, and provide leads for eventual browser plugins.

The <!-- --> comments are used to hide the signature from the user in
standard browsers.

The scheme is designed to allow signing only parts of documents, so they
could be published in fast-changing environments like blogs or on
dynamically generated pages, and to have many different signed parts on
one page. It should also allow manual checking of the signature, eg. by
curl http://url | gpg --verify

Feel free to use the idea if it is good.

Opinions, comments?



--===============8719914484801491869==--


From shaddack@ns.arachne.cz Sat Nov 22 09:37:45 2003
From: Thomas Shaddack <shaddack@ns.arachne.cz>
To: cypherpunks-legacy@lists.cpunks.org
Subject: Re: Idea: GPG signatures within HTML - problem with inline  objects
Date: Sat, 22 Nov 2003 09:37:45 +0000
Message-ID: <0311221455380.0@somehost.domainz.com>
In-Reply-To: <0311221436180.-1216855884@somehost.domainz.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8272573483096829783=="

--===============8272573483096829783==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

There is a problem with images and other inline objects. There is a
solution, too.

The objects included into the document can get their hash calculated and
included in their tag; eg,
<IMG SRC="image.jpg" HASH="SHA1:4e1243bd22c66e76c2ba9eddc1f91394e57f9f83">
The tag has to be in the signed part of the document, so the hash can't be
tampered with.

Full digital signatures should be possible as well, eg.

<IMG SRC="image.jpg" SIGNATURE="http://where.is.the/signature.asc">

or

<IMG SRC="image.jpg" SIGNATURE="identifier">
some HTML code here
<SIGNATURE TYPE="gpg" NAME="identifier"><!--
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v0.9.11 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQA31UOQaLeriVdUjc0RAjhBAJ4u1k5ex8+ZAtYi737GFXPOiBc51gCfU5+8
is2rD6L/6fIOWttfh5CYUW0=
=WOv2
-----END PGP SIGNATURE-----
--></SIGNATURE>

This way doesn't depend on the part of the document being signed, as the
signature can't be effectively tampered with undetected anyway.


Same scheme could be used in <A HREF> tags, allowing automated checking of
signatures or hashes of downloaded binary files.



--===============8272573483096829783==--


From henryk@ploetzli.ch Sat Nov 22 10:20:26 2003
From: Henryk =?utf-8?q?Pl=C3=B6tz?= <henryk@ploetzli.ch>
To: cypherpunks-legacy@lists.cpunks.org
Subject: Re: Idea: GPG signatures within HTML
Date: Sat, 22 Nov 2003 10:20:26 +0000
Message-ID: <20031122160714.59588c48.henryk@ploetzli.ch>
In-Reply-To: <0311221436180.-1216855884@somehost.domainz.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5733131812831595275=="

--===============5733131812831595275==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Moin,

Am Sat, 22 Nov 2003 14:54:39 +0100 (CET) schrieb Thomas Shaddack:

> A trick with HTML (or SGML in general) tag and a comment, a browser
> plugin(or manual operation over saved source), and a GPG signature
> over part of the HTML file should do the job, with maintaining full
> backward compatibility and no problems for the users not using this
> scheme.

> Opinions, comments?

This is already done, although I'm not aware of any browser supporting
an automated verification. For an example look at the HTML source of
http://www.bundesverfassungsgericht.de/entscheidungen/frames/rk20030827_2bvr0=
91103

--=20
Henryk Plvtz
Gr|_e aus Berlin
~~~~~~~ Un-CDs, nein danke! http://www.heise.de/ct/cd-register/ ~~~~~~~
~ Help Microsoft fight software piracy: Give Linux to a friend today! ~



--===============5733131812831595275==--