[whatwg] Signed XHTML

Mikko Rantalainen mikko.rantalainen at peda.net
Mon Oct 31 03:53:18 PDT 2011


2011-10-27 14:29 EEST: Henri Sivonen:
> On Thu, Oct 20, 2011 at 9:57 PM, Martin Boßlet
> <martin.bosslet at googlemail.com> wrote:
>> Are there plans in this direction? Would functionality like this have a
>> chance to be considered for the standard?
> 
> The chances are extremely slim.
> 
> XML signatures depend on XML canonicalization which is notoriously
> difficult to implement correctly and suffers from interop problems
> because unmatched sets of bugs in the canonicalization phase make
> signature verification fail. I think browser vendors would be
> reasonable if they resisted making XML signatures of canonicalization
> part of the platform.
> 
> Moreover, most of the Web is HTML, so enthusiasm for XHTML-only
> features is likely very low these days.

I agree. If a method for signature would be introduced, it should be on
HTTP-level instead. For example, the server (or client) could pass an
extra header (e.g. Content-Signature) where value would be the signature
of the content with some extra info about the key&algorithm used for
signature.

-- 
Mikko



More information about the whatwg mailing list