Re: [w3ctag/design-reviews] Review of signature-based resource loading restrictions. (#186) from Andrew Betts on 2018-01-31 (public-webapps-github@w3.org from January 2018)

From: Andrew Betts <notifications@github.com>
Date: Wed, 31 Jan 2018 18:06:03 +0000 (UTC)
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/186/362019120@github.com>

Discussed at London F2F.  Two issues seem to remain:

1. @plinss is concerned that without using certs, there's too much of a risk of fraudulent public keys allowing attackers to compromise an SRI protected resource.
2. We'd like to ensure that it's possible to send multiple signatures on a single, so you can do key rollover

Pinging @mikewest.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/186#issuecomment-362019120

Received on Wednesday, 31 January 2018 18:07:53 UTC