Idea: GPG signatures within HTML

[Thomas Shaddack]

Sometimes a problem appears with publishing information on the Web, when
the authenticity of document, especially a widely-distributed one, has to
be checked. I am not aware about any mechanism available presently.

A trick with HTML (or SGML in general) tag and a comment, a browser plugin
(or manual operation over saved source), and a GPG signature over part of
the HTML file should do the job, with maintaining full backward
compatibility and no problems for the users not using this scheme.

It should be possible to make this HTML construction:


<HTML>
<BODY>
blah blah blah blah blah unsigned irrelevant part of the document, eg.
headers and sidebars which change with the site design
<SIGNED SCHEME="GPG"><!--
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

--!>
This is the PGP-signed part
of the HTML document.
<!--

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.1.91 (MingW32) - GPGrelay v0.893

ihas7Ds9fXLR9ksWRdwNZXNA8SdshwAJ9zwXFDgvdg5G2mqXp5BD4Sx2ZmjwCfSs70
Kj8sQor6i+MUZBmp5pdM1vU=
=hIsR
-----END PGP SIGNATURE-----
--!></SIGNED>
the unsigned rest of the HTML document
</BODY></HTML>


The <SIGNED>...</SIGNED> tags are ignored by browsers that don't know
them, and provide leads for eventual browser plugins.

The <!-- --> comments are used to hide the signature from the user in
standard browsers.

The scheme is designed to allow signing only parts of documents, so they
could be published in fast-changing environments like blogs or on
dynamically generated pages, and to have many different signed parts on
one page. It should also allow manual checking of the signature, eg. by
curl http://url | gpg --verify

Feel free to use the idea if it is good.

Opinions, comments?