Hi John,
Am Freitag den, 21. Juni 2002, um 15:32, schrieb John Stracke:
1) the signature is computed over either the entire HTML or only the
static
parts with strict conditions about the unsigned dynamic parts
[...]
3) nearly nothing has to be changed on webserver or browser side to
access
the content, the rfc 2660 seems to make much more trouble in this
direction
I think you'll find that these two goals are incompatible. I'm sure
the core server can remain unchanged, but application development
would be radically different. And, unfortunately, many websites are
developed by one-trick programmers, people for whom learning anything
new is a terrifying prospect. Combine that with the fact that the
most common set of data which needs to be protected on a secure web
site is credit card numbers, which have adequate legal protections,
and the set of people interested in sigHTTP it's just too small.
As expected I have to disagree to your post ;-)
The third point means if you are not interested in checking the
signature as a regular web surfer your actual user software won't
complain about the additional infos in the server header reply and in
the html structure.
The work for the developer will for sure be incremented, only slightly
if he has mostly static pages. This might be the chance to sell yourself
to your customers by delivering not simple student level websites but
secure websites. I think the additional work must influence the
marketing and vice versa.
And at least I think you are too pessimistic by the small number of
interested people. I have the impression here in germany are still lots
of people concerned and frightend everytime some tv magazin reports
online banking bugs here and security frauds there. If everyone is
complaining how about solving it in a simple way?
with kind regards
--
Think Safety
www.security-gui.de & www.sighttp.org