Eric Rescorla says:
In the email world, you don't necessarily have any sort of prior relationship with the person you're communicating with and that public key cryptography is relatively cheap. (When it takes minutes to ship mail across the net, who's going to notice a second or two of signature verification?) However, in the case of the Web, things are very different.
Since one can sign pages just once (they are written once and read often) and one can pick one's signature algorithm to speed up verifications relative to the signatures (using small exponents is the usual trick fo this), I'm not sure its that big a problem. I'd like these algorithms to support the serving of signed pages from hosts that do not know the keys that the pages have been signed with -- offline signature schemes like the one I just described will support that nicely. (However, any algorithm that is cognisant of the difference between securing the pages and just securing the channel is an improvement over the SSL proposal.) .pm