Idea: GPG signatures within HTML - problem with inline objects

Thomas Shaddack shaddack at
Sat Nov 22 06:24:48 PST 2003

There is a problem with images and other inline objects. There is a
solution, too.

The objects included into the document can get their hash calculated and
included in their tag; eg,
<IMG SRC="image.jpg" HASH="SHA1:4e1243bd22c66e76c2ba9eddc1f91394e57f9f83">
The tag has to be in the signed part of the document, so the hash can't be
tampered with.

Full digital signatures should be possible as well, eg.

<IMG SRC="image.jpg" SIGNATURE="">


<IMG SRC="image.jpg" SIGNATURE="identifier">
some HTML code here
<SIGNATURE TYPE="gpg" NAME="identifier"><!--
Version: GnuPG v0.9.11 (GNU/Linux)
Comment: For info see


This way doesn't depend on the part of the document being signed, as the
signature can't be effectively tampered with undetected anyway.

Same scheme could be used in <A HREF> tags, allowing automated checking of
signatures or hashes of downloaded binary files.

More information about the cypherpunks-legacy mailing list