(I have intentionally used a random example paper about non-repudiable TLS extensions)
I recall over the years occasionally reading comments reminding people of early proposals for non-repudiable HTTPS request/response serving.
Today browsers can verify server authentification using HTTPS protocols. From then on a shared symmetric key is used, so user agents (and thus users) can not prove to a third party (friends, polive, judges, etc.) that a website gave a specific response.
I recall that such functionality was repeatedly proposed, but systematically rejected, and also recall reading comments on HN reminding of this fact, at least once referencing a specific RFC that long predated TLS Notary. (I no longer find this comment.)
I recall the RFC proposal did not rely on having a third party witness like TLS Notary, but effectively was a server signature of the page contents.
(The TLS Notary system basically was basically a trusted service, "He said, she said..." whereas the original rejected RFC proposals were direct and to the point "Let everyone speak (and sign) for themselves".)
Which such RFC proposals do you know about? Is there a timeline of such proposals?
In a world of false advertising etc. this seems like an important property for the basic web infrastructure.
It may also have applications for end-users to prove bandwidth consumption vis-a-vis ISP's.
It may also have applications to clear oneself regarding illicit content consumption: suppose that in some country it were punishable to consume content like "Tiananmen Square Tank Man" images, then a local search engine Baityou may intentionally redirect you to such content by hiding the target URL under an irrelevant search result. i.e. If you searched "cheap battery" the Baityou search engine could trick you into clicking on a link like "CheapestBatteriesInTown", but effectively redirect you to a Tank Man web page. With current infrastructure, the civilian can not prove he was tricked into visiting this locally illicit content, since the response of the Baityou search engine web servers was not signed.
Again, I am looking for:
1) Any such concrete proposals, perhaps journal articles, perhaps RFC proposals, ...
2) Some kind of history of these proposals
3) Especially the earlier and earliest proposals ("This was already proposed back <some_date>, but was systematically blocked")
I recall over the years occasionally reading comments reminding people of early proposals for non-repudiable HTTPS request/response serving.
Today browsers can verify server authentification using HTTPS protocols. From then on a shared symmetric key is used, so user agents (and thus users) can not prove to a third party (friends, polive, judges, etc.) that a website gave a specific response.
I recall that such functionality was repeatedly proposed, but systematically rejected, and also recall reading comments on HN reminding of this fact, at least once referencing a specific RFC that long predated TLS Notary. (I no longer find this comment.)
I recall the RFC proposal did not rely on having a third party witness like TLS Notary, but effectively was a server signature of the page contents.
(The TLS Notary system basically was basically a trusted service, "He said, she said..." whereas the original rejected RFC proposals were direct and to the point "Let everyone speak (and sign) for themselves".)
Which such RFC proposals do you know about? Is there a timeline of such proposals?
In a world of false advertising etc. this seems like an important property for the basic web infrastructure.
It may also have applications for end-users to prove bandwidth consumption vis-a-vis ISP's.
It may also have applications to clear oneself regarding illicit content consumption: suppose that in some country it were punishable to consume content like "Tiananmen Square Tank Man" images, then a local search engine Baityou may intentionally redirect you to such content by hiding the target URL under an irrelevant search result. i.e. If you searched "cheap battery" the Baityou search engine could trick you into clicking on a link like "CheapestBatteriesInTown", but effectively redirect you to a Tank Man web page. With current infrastructure, the civilian can not prove he was tricked into visiting this locally illicit content, since the response of the Baityou search engine web servers was not signed.
Again, I am looking for:
1) Any such concrete proposals, perhaps journal articles, perhaps RFC proposals, ...
2) Some kind of history of these proposals
3) Especially the earlier and earliest proposals ("This was already proposed back <some_date>, but was systematically blocked")