In my continuous MachineTag dementia (but at least useful with the license Machine Tag), I experimented an implementation of an interesting expired Internet-Draft called Link Fingerprints into MachineTag. The idea of the Link Fingerprints is to fingerprint the information reference to be sure that the content of the retrieved object is matching the initially reference object (you can replace object by file). In other words, to be sure that the file downloaded is the one initially provided by the author. This is very handy when distributing free software over Internet to limit the risks of downloading compromised software. The background idea of Link Fingerprints is really good but implementing it in the URI is introducing various issues (discussed in the WG during the introduction of the Internet Draft).
Why not reimplementing the idea into MachineTag ? Here comes the Machine Tag Link Fingerprint with a specific namespace called : linkfingerprint. How does this work ? That's pretty easy if you know already what a MachineTag is.
URL : http://www.foo.be/gnupg-adulau.txt Tags : adulau linkfingerprint linkfingerprint:hash=md5:cbd9f12c32adec490b23061edb61f5fe
The tags are stored in del.icio.us for the tests url. The reduced security risks are not really coming from the use of the MachineTag themself but more from the collaborative tagging approach of users. Collaborative tagging application (like del.icio.us) often introduces network of users and that can be used to gain a certain level of trust for a tag. This is helping to give a kind of certainty for the object or file to be downloaded. That's not perfect but better than storing the hash or fingerprint in the same directory where are hosted the files. I have also updated the MachineTagLinkFingerprint to add the support for OpenPGP detached signature.
Tags: fingerprint hash security machinetag linkfingerprint openpgp