On Tue, 11 Jan 2011 12:12:53 -0000, Eliot Lear <lear(_at_)cisco(_dot_)com>
wrote:
4. Rather than keep it in the back of my head, I'll state it outright:
is a goal here to provide an alternative to SSL-based web page
security? Conveniently, web content does take the form of header/body.
If so, one reasonable question to ask would be whether there exist
characteristics and semantics of X.509 that would be necessary in this
context. For instance, is there sufficient surety given for, oh,
banks? And what would the UI implications be? Also, presumably it
would have implications to TLS relating to keying material.
It's the HTTP protocol that is header/body based, and that protcol is used
for other things that transporting web content, so certifying HTTP
messages is not the same as SSL signing web pages (and is somewhat simpler
since it involves no encryption).
In web applications, the HTTP/XML/whatever page is the payload of the HTTP
transmission. The HTTP headers are concerned more with the transmission
mechanics (date, MIME structure, etc).
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html