Clearsign of HTML-pages
Ben Finney
ben at benfinney.id.au
Fri Oct 10 00:03:58 CEST 2003
On 24-Sep-2003, Vyacheslav Iutin wrote:
> How to place gpg-signature in the HTML-comments?
If the signature is inside the document that it signs, then it changes
the contents of the document. What is the signature supposed to be
checked against?
For example, to make a signature of this document:
=====
<html><body>
<DEFANGED_tag>Foo</DEFANGED_tag>
<DEFANGED_tag>Bar</DEFANGED_tag>
</body></html>
=====
that results in the hypothetical signature:
=====
----- BEGIN BOGUS SIGNATURE -----
DEADBEEFDEADBEEF
----- END BOGUS SIGNATURE -----
=====
That signature will only be valid against the *exact contents* of the
above document. Placing the signature *within* the document, as HTML
comments:
=====
<html><body>
<DEFANGED_tag>Foo</DEFANGED_tag>
<DEFANGED_tag>Bar</DEFANGED_tag>
<!--
----- BEGIN BOGUS SIGNATURE -----
DEADBEEFDEADBEEF
----- END BOGUS SIGNATURE -----
-->
</body></html>
=====
results in a completely different document. That signature no longer
validates against the document, because its contents have changed.
That's why signatures are always explicitly separated from the document;
either by having the document delimited with the familiar
----- BEGIN PGP SIGNED DOCUMENT ----- etc., or by having them as
separate files (or MIME parts, or whatever makes sense).
HTML documents are atomic; the whole thing is a single entity. A
separate signature can be made, as a separate file, but not embedded
into the document itself.
--
\ "The best is the enemy of the good." -- Voltaire |
`\ |
_o__) |
Ben Finney <ben at benfinney.id.au>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : /pipermail/attachments/20031009/f75abb54/attachment.bin
More information about the Gnupg-users
mailing list