To extend this to archival integrity without cooperation from the server/host, you'd need the client to sign the received bytes.
But then you need the client to be trusted, which clashes with distributing.
Hypothetically, what about trusted orgs standing up an endpoint that you could feed a URL, then receive back attestation from them as to the content, then include that in your own archive?
Compute and network traffic are pretty cheap, no?
So if it's just grabbing the same content you are, signing it, then throwing away all the data and returning you the signed hash, that seems pretty scalable?
Then anyone could append that to their archive as a certificate of authenticity.
But then you need the client to be trusted, which clashes with distributing.
Hypothetically, what about trusted orgs standing up an endpoint that you could feed a URL, then receive back attestation from them as to the content, then include that in your own archive?
Compute and network traffic are pretty cheap, no?
So if it's just grabbing the same content you are, signing it, then throwing away all the data and returning you the signed hash, that seems pretty scalable?
Then anyone could append that to their archive as a certificate of authenticity.