How to read Qubes OS' website
@espectalll @micahflee Hmm, yes, I suppose it's possible some Qubes users will actually do that.
But, more generally, it does show a rather gaping hole in standard web infrastructure in that there's no general mechanism to convey and check the original author's signature on web pages.
@edavies @espectalll @micahflee wellllll... there's SSL...
this basically allows end-to-end encryption to the hosting server.
But you're right that this doesn't validify the contents.
@upshotknothole @espectalll @micahflee Exactly, the hosting provider could fiddle with the documents easily.
Toots ought to be signed, too.
@edavies @espectalll @micahflee this assumes user generated content. That's impossible to properly manage from a server side
@upshotknothole @espectalll @micahflee Yes, of course the signing needs to be done on the user's machine. It needs to be part of the web protocols and browser functionality.
(Which brings us back to Qubes - the VM you toot from needs access to at least a low-grade signing key so probably ought to be separate from the one you do most of your browsing on.)
@edavies @espectalll @micahflee that's not hard. You can separate the subkey from the master. The master can invalidate the subkey but the subkey itself can't harm the master.
Haven't used it for various VMs tho.
@edavies @upshotknothole @micahflee Can't wait for Mastodon to become a federated keychain