Idea: GPG signatures within HTML

Thomas Shaddack shaddack at
Sat Nov 22 05:54:39 PST 2003

Sometimes a problem appears with publishing information on the Web, when
the authenticity of document, especially a widely-distributed one, has to
be checked. I am not aware about any mechanism available presently.

A trick with HTML (or SGML in general) tag and a comment, a browser plugin
(or manual operation over saved source), and a GPG signature over part of
the HTML file should do the job, with maintaining full backward
compatibility and no problems for the users not using this scheme.

It should be possible to make this HTML construction:

blah blah blah blah blah unsigned irrelevant part of the document, eg.
headers and sidebars which change with the site design
Hash: SHA1

This is the PGP-signed part
of the HTML document.

Version: GnuPG v1.1.91 (MingW32) - GPGrelay v0.893

the unsigned rest of the HTML document

The <SIGNED>...</SIGNED> tags are ignored by browsers that don't know
them, and provide leads for eventual browser plugins.

The <!-- --> comments are used to hide the signature from the user in
standard browsers.

The scheme is designed to allow signing only parts of documents, so they
could be published in fast-changing environments like blogs or on
dynamically generated pages, and to have many different signed parts on
one page. It should also allow manual checking of the signature, eg. by
curl http://url | gpg --verify

Feel free to use the idea if it is good.

Opinions, comments?

More information about the cypherpunks-legacy mailing list