- From: Peter Linss <notifications@github.com>
- Date: Fri, 06 Apr 2018 22:00:07 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Saturday, 7 April 2018 05:00:33 UTC
Hey Mike, We agree that this is an improvement over a simple hash, and are happy to see this move forward. As noted above, we'd like to see the ability to have multiple keys and signatures on a single resource to allow key rollover and cross-signing. There is the one increased risk over a hash in that if an attacker gets a victim to accept a fraudulent key, they can continue to sign new versions of the resource without having to update the key (for example, publish a legit version of a library with a fraudulent key/signature, then after a while, replace the library with a malicious copy using the same key and the victim would likely not notice). I do think that at some point we'll want a more powerful solution including key revocation and ownership proof, such as a certificate based solution, but I'm happy to wait for a future version and implementation experience with signed exchanges before going there. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/186#issuecomment-379432576
Received on Saturday, 7 April 2018 05:00:33 UTC