
Ask HN: Why not sign text resources on the web? - EGreg
With the blockchain, we now have an immutable, globally available datastore. Why not make a browser extension that allows authors of resources on the web to sign them? The signatures could be stored in merkle trees whose root signature would stored on the blockchain. That would be, in some sense, &quot;the root authority&quot; for checking the HMACs.<p>And if the files are going to be the same, they might as well be addressable by the hash or magnet url scheme. Why is something like this not available as a browser extension for those who care about the files they load always being the same?<p>Caveat: of course, signed files can still dynamically load other dependencies which can change at any time, but we could apply this logic recursively to any network request. That would allow authors to sign &quot;bundles&quot; on the web, like they do in the app store. If a web app did something malicious, it wouldn&#x27;t be because rogue Javascript was injected by a third party. Users would be able to trust the real publishers of apps.
======
niftich
Help me understand. Why sign resources? To prove authorship? What prevents me
from signing a resource that's actually "someone else's"?

Your idea about content-addressable storage (ie. by hash) has been implemented
in networks like IFPS [1], Freenet [2], and Bittorrent [3]. With the
introduction of a recent spec called subresource integrity [4], a content-
addressable cache/database was proposed, but it has an interesting security
implication (failure mode) discussed in this HN thread [5].

[1] [https://ipfs.io/](https://ipfs.io/)

[2] [https://freenetproject.org/](https://freenetproject.org/)

[3] [http://stackoverflow.com/questions/3844502/how-do-
bittorrent...](http://stackoverflow.com/questions/3844502/how-do-bittorrent-
magnet-links-work)

[4] [https://www.w3.org/TR/SRI/](https://www.w3.org/TR/SRI/)

[5]
[https://news.ycombinator.com/item?id=10310594](https://news.ycombinator.com/item?id=10310594)

