- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Thu, 04 Sep 2014 22:31:20 +0200
- To: Chris Palmer <palmer@google.com>, Eduardo Robles Elvira <edulix@agoravoting.com>
- CC: "Hill, Brad" <bhill@paypal.com>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 2014-07-29 02:13, Chris Palmer wrote: > ... > The run-time provable, run-time enforceable way is for sites to serve > download pages and the downloaded files themselves via HTTPS with > valid certificates, and then to make use of (for code downloads) > whatever code-signing mechanism the destination platform provides > (every platform provides some kind of code authentication now). > ... 1) This defeats public caching. 2) It also doesn't help with many types of downloads, such as source archives. Best regards, Julian
Received on Thursday, 4 September 2014 20:32:00 UTC