[doseta-discuss] suggestions/concerns on spec
Mark Nottingham
mnot at mnot.net
Thu Jun 2 19:57:55 PDT 2011
On 03/06/2011, at 5:13 AM, Murray S. Kucherawy wrote:
>> DOSETA pulls in public key propagation. Requires a bh field (you might
>> want to sign headers but no body). I'd like to see that stuff split off
>> and/or optional.
>
> That's curious. Why would you want to sign none of the body?
>
> (I've heard the email side of that argument, but I'm keen to hear new perspectives.)
My HTTP use case: I want a site-wide flag that says "everything on this site should be signed; if you receive something from this site that is not signed, it may be an indication of a MITM changing content." That's fine for "static" content, but for large, dynamically generated responses, buffering the entire thing to sign it may be undesirable, so an ability to sign something without the body would be useful here.
Cheers,
--
Mark Nottingham http://www.mnot.net/
More information about the doseta-discuss
mailing list