Related: does the TAG want to take any position in this finding on other approaches for code integrity, like the subresource integrity proposals (that I believe are currently stalled)? Just an FYI here: Subresource Integrity is not stalled, or, no more stalled than many specs. There is even some experimental code in Chrome and soon to be some in Firefox. We have aggressively trimmed functionality, however. Including any ability to use it over plaintext HTTP. So SRI Level 1 as we expect to take it to Last Call in January is exclusively addressing issues where content served over a secure channel may nonetheless be at risk of compromise at the remote endpoint. Personally, I still have some ambitions that we can target a headward slice of the shared content Zipf curve with integrity-aware caching in a future Level 2 spec, but it's difficult and subtle to do so, so we're going to see if we can even make it work without those confounding factors first. And even that is still a different kettle of fish from allowing integrity-verified mixed-content, which I think is interesting given how little practical resistance TLS offers to traffic analysis for public resources anyway, but which I don't expect finding a consensus strategy to manage the risks that entails will be easy, if it is possible at all. -Brad Hill
Received on Thursday, 11 December 2014 05:45:50 UTC