Tyler Close wrote:
> Ben Laurie responding to me:
> > > The only reason to sign something is if you want to
> > provide offline
> > > verification of authenticity, or non-repudiation. I can't
> > think of any
> > > scenarios in which I'd want to verify the authenticity of a URI
> > > offline. It's so much easier to just click on it.
> > Unless you have a reverse mapping embedded in the response
> > to the URL
> > fetch, clicking on it doesn't verify its correctness, only its
> > existence. i.e. what I'm saying is you need a defence against mallet
> > finding that perverting URI mapping uri:A -> url:B to map
> > uri:A -> url:C
> > instead, where url:C is a working URL, has a useful effect.
> How does mallet effect this perversion?
I don't know. Are you saying he can't? Since you were talking about untrusted SLSes earlier, I presumed this was easy!