- From: Yan Zhu <notifications@github.com>
- Date: Thu, 22 Jan 2015 16:59:34 -0800
- To: w3ctag/packaging-on-the-web <packaging-on-the-web@noreply.github.com>
- Message-ID: <w3ctag/packaging-on-the-web/issues/21@github.com>
The intro says: ``` Initiatives such as Firefox OS and Chrome OS demonstrate the potential of trusted, installable applications built with web technologies. To be used in this way, applications must be self-contained packages of resources that can be tested and signed. ``` IMO, the ability to verify trusted signatures on packaged apps provides a huge security advantage over regular web apps that don't use packaging. This is part of why many developers who make encrypted messaging apps implement them as browser extensions or Chrome apps instead of as web pages (popular examples include Google's End to End and Cryptocat) The rest of the document doesn't say anything about signatures, though #8 suggests that the SPF format may include a signature header. FWIW, I don't think it is a good idea to put a signature in a package header or part header, because the content of the other headers should be signed as well. PGP/MIME is an example of how to securely include a signature over a MIME structure (see http://www.ietf.org/rfc/rfc3156.txt, section 5). Given the importance of signatures, especially for installable apps, it would be nice for this draft to be specific about the signature format and how the client is supposed to verify it. For instance, is the signing key itself supposed to be included in the package? Should the client always verify a SPF signature if one is included before loading the resources (this means it has to wait until the entire package is downloaded before loading anything from it)? etc. --- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/packaging-on-the-web/issues/21
Received on Friday, 23 January 2015 01:00:10 UTC