>1) the signature is computed over either the entire HTML or only the static >parts with strict conditions about the unsigned dynamic parts [...] >3) nearly nothing has to be changed on webserver or browser side to access >the content, the rfc 2660 seems to make much more trouble in this direction I think you'll find that these two goals are incompatible. I'm sure the core server can remain unchanged, but application development would be radically different. And, unfortunately, many websites are developed by one-trick programmers, people for whom learning anything new is a terrifying prospect. Combine that with the fact that the most common set of data which needs to be protected on a secure web site is credit card numbers, which have adequate legal protections, and the set of people interested in sigHTTP it's just too small. /==============================================================\ |John Stracke |Principal Engineer | |jstracke@incentivesystems.com |Incentive Systems, Inc. | |http://www.incentivesystems.com |My opinions are my own. | |==============================================================| |"Simply vanished--like an old oak table." --Lord Percy, _Black| |Adder II_ | \==============================================================/