Idea: GPG signatures within HTML - problem with inline objects
Thomas Shaddack
shaddack at ns.arachne.cz
Sat Nov 22 06:24:48 PST 2003
There is a problem with images and other inline objects. There is a
solution, too.
The objects included into the document can get their hash calculated and
included in their tag; eg,
<IMG SRC="image.jpg" HASH="SHA1:4e1243bd22c66e76c2ba9eddc1f91394e57f9f83">
The tag has to be in the signed part of the document, so the hash can't be
tampered with.
Full digital signatures should be possible as well, eg.
<IMG SRC="image.jpg" SIGNATURE="http://where.is.the/signature.asc">
or
<IMG SRC="image.jpg" SIGNATURE="identifier">
some HTML code here
<SIGNATURE TYPE="gpg" NAME="identifier"><!--
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v0.9.11 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQA31UOQaLeriVdUjc0RAjhBAJ4u1k5ex8+ZAtYi737GFXPOiBc51gCfU5+8
is2rD6L/6fIOWttfh5CYUW0=
=WOv2
-----END PGP SIGNATURE-----
--></SIGNATURE>
This way doesn't depend on the part of the document being signed, as the
signature can't be effectively tampered with undetected anyway.
Same scheme could be used in <A HREF> tags, allowing automated checking of
signatures or hashes of downloaded binary files.
More information about the cypherpunks-legacy
mailing list