> wouldn't the server sign all http responses by default? all you would need to do is upload a file
No, the content has to be signed when it is created, in the content management system or similar content creation tool, not when the server sends it. The content management system itself must have strong controls on it (ACLs, controlled user accounts, protected private keys stored only on encrypted and access controlled media, regular audits, etc).
Basically the server itself is no longer trusted as the arbiter of content authenticity, the actual content creator is. Concretely, when the editor at a publication approves an article after reviewing it, it is signed for delivery at the moment of publication, not at the moment that the request is served.
so that means i can sign a page on the editor's computer, take it with me and serve it to amp from my website? that sounds even more dangerous tbh. it delegates security from people who may know a little bit about it (web hosts) to people who likely know nothing about it (writers)
what happens if someone's key is stolen and they need to re-issue it? All the previously published copies are now invalid?
Does SXG make this better or worse?
> ensures that it was created using the private keys
signing at the server ensures that it was created using the key AND served from a host they control. How is that not better?
> you can't represent your content
wouldn't the server sign all http responses by default? all you would need to do is upload a file