1996-02-03 - Web page authentication (was: Anti-Nazi Authentication)

Header Data

From: Bryce <wilcoxb@nag.cs.colorado.edu>
To: Rich Graves <llurch@networking.stanford.edu>
Message Hash: 22d8b6944f01fa017b70f1e42695b4dd93c523ffd26d482cd535353dc64b3d70
Message ID: <199602030123.SAA09872@nag.cs.colorado.edu>
Reply To: <Pine.ULT.3.91.960202120722.19670I-100000@Networking.Stanford.EDU>
UTC Datetime: 1996-02-03 02:26:54 UTC
Raw Date: Sat, 3 Feb 1996 10:26:54 +0800

Raw message

From: Bryce <wilcoxb@nag.cs.colorado.edu>
Date: Sat, 3 Feb 1996 10:26:54 +0800
To: Rich Graves <llurch@networking.stanford.edu>
Subject: Web page authentication (was: Anti-Nazi Authentication)
In-Reply-To: <Pine.ULT.3.91.960202120722.19670I-100000@Networking.Stanford.EDU>
Message-ID: <199602030123.SAA09872@nag.cs.colorado.edu>
MIME-Version: 1.0
Content-Type: text/plain



-----BEGIN PGP SIGNED MESSAGE-----


 An entity calling itself "Rich Graves 
 <llurch@networking.stanford.edu>" is alleged to have
 written:
>
> On Fri, 2 Feb 1996, Bryce wrote:
> 
> > > What's wrong with a prominent PGP-signed notice in <PRE>'s that "This
> > > page, at URL [whatever], has a separate PGP signature at [other URL]." 
> > > I've did that with the windows networking FAQ a few times until it just 
> > > got to be too much trouble.
> > 
> > That's a good idea, but I don't see any reason to sign the 
> > notice.
> 
> For the paranoid, it would be an added assurance that they are reading the
> original file at the original location. Otherwise, anybody could copy the
> Web page, modify it, and give it someone else's PGP signature. 


Uhhh- wait a second.  Anybody can always copy the file *and*
the signature to a new site without changing the
authentication.  And anybody can always copy the cleartext
and then sign it with a different key.  Right?  What are you
getting at?


Now what you can do is put the site's URL in the signed 
text, forcing the copier to change the URL and re-sign it
with his own key.  And you could time-stamp your document, 
proving that you had possession of it before the copier did.
But that's the extent of what you can do, AFAIK.


> But yeah, it would look awfully silly, especially to the non-PGP-aware
> public. An unobstrusive PGP logo (below) would be great, and might become
> a status symbol, like those cheesy HTML validation service and Internet
> Audit Bureau logos (which I have used on a few pages). 


Yeah that was my idea.  A little "PGP signed" logo.  If the
user clicks on it it gives them the signature, and/or a href
to a PGP page.  (Probably one maintained by yours truly.)


> Yeah, I like the idea of a standardized logo. A lot.


I have a little logo which is (as I recall) 32x32 pixels
which is just "PGP" with a red check-mark superimposed.
I'll hack on this idea during what I jocularly refer to as
my spare time.


Regards,

Bryce

                 "Toys, Tools and Technologies"
  the Niche 
        New Signal Consulting -- C++, Java, HTML, Ecash
            Bryce 
 
PGP sig follows



-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.01

iQCVAwUBMRK45PWZSllhfG25AQG9uQP/Ry8TJDwvBjgNLjqJ4O0kX5277Th9ERoD
/I90bq+EvdkVOIypr8DIagxGQDtY8GUDeIXzZvvoUSH/h/EioKP7P6J3El9liCmO
NEYcGhlYtnKMn2/iKeQiZfu68iVSCpUSm8Tvq42ecLKTpgcpx+6sQIhFs3e5oG0O
F2lc601FTL4=
=0qGM
-----END PGP SIGNATURE-----





Thread