Blueness - PGP signed HTML

       (__)
       ('')
        \/

=======================================
What is "PGP signed HTML" as opposed to
"OpenPGP Digitally Signed HTML"
=======================================

If you espy a small "logo" picture "PGP signed HTML" near the bottom of the/a HTML page, don't mix it up with the similar "logo" reading "_Open_PGP Digitally Signed HTML" (as you for instance can see on the TJL73's pages <http://tjl73.altervista.org/home.html>), since they are not same things and do not denote same things. My "logo" just says that this HTML document is PGP signed (entirely or in part), and not necessarily _Open_ PGP signed, since I will also use TIGER192 often for this purpose, and some other "features" as well, which are not covered by the so called "OpenPGP standard", so I f{ou|i}nd fair to make the distinction.

This "logo" of mine, which I created myself, also may be freely used by anyone wishing so, but please pay attention not to mix the said two: for instance, if you are using some "features" which are not included in the "OpenPGP standard", to sign your HTML documents (like TIGER192 algorithm, and similar) then would be good to use this logo, and not the one related to "OpenPGP standard". It will prevent confusion.

If you need HTML code for this "logo", here it is...

blue

...and for the small one...

dark red

...and for the small one...

yellow

...and for the small one...

white

...and for the small one...

black

...and for the small one...

...then the logos themeselves...

SHA1 5F35 D12E D649 5664 6024 FB4C 64CE 60EC 3C3C C39A

SHA1 5EDC 8062 15CA 2E39 02CA 22AB 5882 0A08 2033 0C15

SHA1 4FF5 D053 E202 5E3F 7528 4EA5 D15F 3606 0EF3 823A

SHA1 DA6E 5A51 8BA3 D780 F2A6 EB3D 9CB3 6231 81BA 8B4B

SHA1 AB96 1A98 035E D03C 7DEB 1911 8DBF 7D9E 7D88 E5A7

SHA1 FA0A 4D9C C55E 928F D1BF 35A5 EC02 4EDC 4A68 65ED

SHA1 5A4C 1B90 2EE1 168F C76F EE37 1BB6 10B1 BAAE 1C6A

SHA1 BE08 5841 1C08 96D1 43C8 BCFB E2BC 52C3 F9C3 7107

SHA1 98C2 DD9F 0099 D08B 2788 376E 9285 C6DF BA41 4D1A

SHA1 6A16 64DB A161 6F02 A166 E4B5 1D45 15B6 B3A9 7E82

...so be my guests and help yourself.

-�-

Now, if you need/wish to learn how to PGP sign a HTML document, then TJL73's tutorial is a fine place: <http://tjl73.altervista.org/HTML_sign_tutorial/tutorial.html>.

Here, I will explain just how I am doing it myself and for my limited needs, and it is quite simple.

***

Before the text/HTML code we want to PGP sign we put this...

...and after the text/HTML code we want to PGP sign we put this...

...so it looks like this (the " " denotes just the one empty space, at the beginning of the line, and will be explained later)...

<CENTER><TABLE BORDER=0 CELLSPACING=0 CELLPADDING=10 WIDTH="351" BGCOLOR="#fffcf8">
<TR>
<TD>
<FONT face="Verdana" color="#000000" size="2">
Some funny text in a nice table...<BR>
</FONT>
</TD>
</TR>
</TABLE>
</TD>
</TR>
</TABLE>
</CENTER>

...and then we select this part...

<CENTER><TABLE BORDER=0 CELLSPACING=0 BGCOLOR="#990000">
<TR>
<TD>

<CENTER><TABLE BORDER=0 CELLSPACING=0 CELLPADDING=10 WIDTH="351" BGCOLOR="#fffcf8">
<TR>
<TD>
<FONT face="Verdana" color="#000000" size="2">
Some funny text in a nice table...<BR>
</FONT>
</TD>
</TR>
</TABLE>
</TD>
</TR>
</TABLE>
</CENTER>

...and sign it, so it looks like this, in your _editor_ (don't try to verify this signature for it is just a visual example, not a real one)...

<!-- PGP signature...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: TIGER192

-->

<!--
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4-svn-4151 <>o<> tiger192 (Cygwin/MingW32)

iQEVAwUBRIHg9rSpHvHEUtv8AQb4YQf/fRXfkvkeApkHATq2L5KwPMoIxC/pyULG
Aa9RdkcJtbUXEfjKrvtx3wzDazj5Ybsru7RUyLkCJ1jZiqosMNDiOupSTXBNGmR9
DIWDMQzexzTUP0sz6uuPdUAFgbgt7iZlLK2p1RRntEgUcHblKtgliRXqigHwc0C4
eYc39ZhhAEGN+X98PaWmLChp0f3KKao9i5xsg4t4HL8Dzh7qSUZ4+s0z9TwF71mC
IFjOURFjSgs7Qv5pHeIymRcgTkZoRK3soc6NPhjixU5j5WPcpHR/VSCbqaYsV6dV
w/4+qnhlvywkRHtnPFRULtkdxQgWADZaG6UDQgwNB0kFDOgBw3wJDg==
=Sae+
-----END PGP SIGNATURE-----

...PGP signature -->

...and looks like this, in your _browser_...

Some funny text in a nice table...

...just like a nice table with some text in it, and with no a trace of the PGP signature.

It is so, because all the green text is _not_ interpreted by browser (and hence is not visible), but only the one between the green parts, which is the HTML code for the table and the text in it (and hence this part is visible).

This/such green text, which is not intepreted/shown by browser, is called "comment". We give status of a comment to everything we put between this "" sign. With "" we close it.

If we would for instance write to Lucy, in some "blog" or similar, "I love you  so much!", Lucy would in her browser see just the "I love you so much!"

But beware, if Lucy is cunning enough, and able to read the source of such HTML document, she {c|w}ould learn more about what we really feel about her. In this case it is not a Lucy, and we should behave better.

-�-

Now just some notes regarldess you probably know this, as a PGP/GPG user.

1) When you PGP sign the parts of your HTML source, you have to have them not "word-wrapped". Also, if you use GPGShell, or similar programs which have the feature to "wrap" text lines, then you have to turn this feature completely off, that is to set the value "Word-wrap clear-signed text at column:" to 0. Zero.

2) Also, if your lines begin with a dash, "-", then when you clear-sign such a piece of text, the crypto program will add to the beginning of this line the known "- ", a dash and one empty space, so it will look then like this: "- -". If you don't like to see that, just begin such lines with an empty space before this "-".

Here for instance...

- - some text, and then
- - some text again, and
- then some again...

...the first two lines were written like this...

- some text, and then<br>
- some text again, and<br>

...and the third one like this...

- then some again...<br>

...with added the one mentioned empty space (" ") at the beginning, so this line looked nice in browser, with no added "- ", the dash and the space. The format of your text remained (virgo) intacta.

As we know, these additions will not influence validity of the signature, but will give to the signed text a disordered plucked look and will not be very pleasant for reading.

3) Of course, validity of the signature we check not otherwise but by looking at the _source_ of the signed HTML document, since the signature is not visible in browser. I recomend to open/view the source in some plain-text editor, and rather not in a "built-in" source viewer of a browser, since might happen that the latter one will _not_ show the source quite correctly.

4) Apply the procedure described only to the parts of text/HTML code that you know will not be changed by any further manipulation on the side of the server you upload it on or by any other activities of any scripts built-in into the HTML document and similar. For if anything between the START of the signed content and the END of PGP signature would have been changed, then the signature would be verified as "BAD", of course.

Mica Mijatovic

 
-- 
The Blueness [\pgp_signed_html\index.html]
Maintained by 
~blueness~