- From: Thomas Roessler <tlr@w3.org>
- Date: Thu, 4 Dec 2008 15:42:46 +0100
- To: "Arve Bersvendsen" <arveb@opera.com>
- Cc: public-webapps@w3.org, "Arthur Barstow" <art.barstow@nokia.com>
Have you considered what the requirements would be for external resources, e.g., scripts sourced through a script tag? -- Thomas Roessler, W3C <tlr@w3.org> On 4 Dec 2008, at 15:36, Arve Bersvendsen wrote: > > Opera's current position is that we do not wish to allow partial > signing, as > a) Unsigned components in a signed package can always in some way be > treated as executable code, and thus it undermines any security > model, or forces vendors to implement a much more complex tainting > model for the content. > > b) As for having different signatures for different components: > While this is slightly less problematic, it should not fall in under > use cases solved for any v1.0 specification, as it also complicates > any security model too much at this stage. > > -- > Arve Bersvendsen > > Developer, Opera Software ASA, http://www.opera.com/ >
Received on Thursday, 4 December 2008 14:42:56 UTC