Hi John, Am Freitag den, 21. Juni 2002, um 15:32, schrieb John Stracke: >> 1) the signature is computed over either the entire HTML or only the > static >> parts with strict conditions about the unsigned dynamic parts > [...] >> 3) nearly nothing has to be changed on webserver or browser side to > access >> the content, the rfc 2660 seems to make much more trouble in this > direction > > I think you'll find that these two goals are incompatible. I'm sure > the core server can remain unchanged, but application development > would be radically different. And, unfortunately, many websites are > developed by one-trick programmers, people for whom learning anything > new is a terrifying prospect. Combine that with the fact that the > most common set of data which needs to be protected on a secure web > site is credit card numbers, which have adequate legal protections, > and the set of people interested in sigHTTP it's just too small. As expected I have to disagree to your post ;-) The third point means if you are not interested in checking the signature as a regular web surfer your actual user software won't complain about the additional infos in the server header reply and in the html structure. The work for the developer will for sure be incremented, only slightly if he has mostly static pages. This might be the chance to sell yourself to your customers by delivering not simple student level websites but secure websites. I think the additional work must influence the marketing and vice versa. And at least I think you are too pessimistic by the small number of interested people. I have the impression here in germany are still lots of people concerned and frightend everytime some tv magazin reports online banking bugs here and security frauds there. If everyone is complaining how about solving it in a simple way? with kind regards -- Think Safety www.security-gui.de & www.sighttp.org