Re: [Integrity] Signature based subresource integrity? from Daniel Roesler on 2014-07-22 (public-webappsec@w3.org from July 2014)

From: Daniel Roesler <diafygi@gmail.com>
Date: Tue, 22 Jul 2014 07:41:52 -0700
To: Eduardo Robles Elvira <edulix@agoravoting.com>
Cc: public-webappsec@w3.org
Message-ID: <CA+65OspC2rbkzXtSzSB+VdMvtS=mW1FTGDkQqS_uGTcbgAaWVA@mail.gmail.com>

Thanks for the response. Is there another specification that is
targeted towards dynamic resources?

Consider the following example: I trust the creators of webkit.js[1]
and want to use that library in my website as a resource. However,
they only distribute the library through a CDN[2], who I do not trust.
I could re-host the library myself, but that kind of defeats the
purpose of using a CDN (pre-caching, auto-updating, etc.).

This is very analogous to Linux package mangers, where often
developers can't afford host their resource themselves. By signing
their resource, any repo mirror can host the file and any system can
safely install the resource from any mirror.

The biggest use case for something like integrity-through-signing
would be for FIrefoxOS app developers. Currently, you have to package
all the resources you need in your app, which leads to a ton of
duplicated resources on a device. It would be great to have
dependencies (just like a Linux package manager) so you didn't have to
package subresources in your app.

Daniel

[1] - https://github.com/trevorlinton/webkit.js/tree/master
[2] - http://cdnjs.com/libraries/webkit.js

On Tue, Jul 22, 2014 at 2:41 AM, Eduardo Robles Elvira
<edulix@agoravoting.com> wrote:
> Hello Daniel:
>
> Sure, that's possible. It's called TLS :-P Seriously, that's what TLS
> was invented for. I would expect that the normal usage of hashed
> subresources never change. If you link to
> http://example.com/jquery-1.5.1.min.js and you need to use a newer
> version, you can put it in another URL and link to it. subresource
> integrity doesn't seem to be targeted for dynamic subresources.
>
> Regards,
>
> On Mon, Jul 21, 2014 at 4:26 AM, Daniel Roesler <diafygi@gmail.com> wrote:
>> Howdy all,
>>
>> I'm trying to figure out how I can validate an included remote
>> javascript file (i.e. subresource) and still allow that file to be
>> updated by the trusted remote party?
>>
>> I know the spec currently just allows you to set a hash of the
>> expected resource. However, when the trusted remote party updates
>> their resource, it breaks the integrity and I have to go and update my
>> site with the new hash (a pain for me).
>>
>> To solve this pain point, would it be possible to use signatures as
>> the method for validating integrity? That way, I could just include
>> the public key for the remote party in the integrity attribute and
>> have the browser check some sort of signature sent with the resource
>> from the remote party.
>>
>> Obviously, this would require some sort of cooperation from the remote
>> party (a Signature header, maybe?), but I would be okay with that
>> since they are trusted.
>>
>> Is there a way to do this in this specification or another specification?
>>
>> Thanks!
>> Daniel
>>
>>

Received on Tuesday, 22 July 2014 14:42:49 UTC