Re: Proposal: not-a-scheme digest URI scheme, with graceful degradation from Brad Hill on 2014-09-20 (public-webappsec@w3.org from September 2014)

From: Brad Hill <hillbrad@gmail.com>
Date: Sat, 20 Sep 2014 10:00:43 -0700
To: Eduardo Robles Elvira <edulix@agoravoting.com>
Cc: Julian Reschke <julian.reschke@gmx.de>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAEeYn8gY=2KsS3S4591rWuO8MC5vCG0xw9b8F7qFmbKayLbqpw@mail.gmail.com>

The proxy domain idea is pretty difficult to fit into existing models
for how browsers and the web work, it creates some rather large issues
with origin-based security used everywhere on the web, and it only
works for downloads.  I believe we're on a more flexible and
compatible track with the SRI approach, and I'm not sure I understand
why you think it doesn't meet the high-level goals you want.  We're
trying to solve problems for users, not create or support arbitrary
new schemes just for the sake of doing so.  Using a subset of ni: uri
features to convey integrity metadata as HTML attributes provides
protection to users with browsers that support it and is ignored by
those that don't, at much lower complexity cost than your proposal.

Regards,

Brad Hill

On Sat, Sep 20, 2014 at 9:05 AM, Eduardo Robles Elvira
<edulix@agoravoting.com> wrote:
> On Sat, Sep 20, 2014 at 3:02 PM, Julian Reschke <julian.reschke@gmx.de> wrote:
>> On 2014-09-20 14:07, Eduardo Robles Elvira wrote:
>>>
>>> Hello everyone:
>>>
>>> I'd like to first bring to your attention the benefits of a digest uri
>>> scheme. There have been proposals in that direction at IETF [0]. It's
>>
>> I think this led to <http://tools.ietf.org/html/rfc6920>.
>>
>>> ...
>>
>> Best regards, Julian
>
> Hello Julian:
>
> Thanks for the information. I'm sorry I haven't read all the related
> standards. That< makes me have some ideas to solve problems that, as
> it turns out, have already been solved - and with a better and more
> generic solution than the one I proposed. That makes me look like a
> fool but I don't worry about that, because it means the Internet is
> well architected :-). I don't want to create too much noise in the
> list though.
>
> The RFC6920 you mention defines a .well-known URI ni suffix that
> creates a better solution to the problem I was referring to. May I
> ask, are browser-vendors planning to support .well-kwnon URI ni suffix
> in their browsers so that if I click in a .well-known ni URI, it loads
> *and checks its integrity*, or currently the idea is just to give the
> minimal RFC6920 support needed to make SRI work (i.e. make ni URIs
> work only as subresources' metadata)?
>
> Regards,
> --
> Eduardo Robles Elvira     @edulix             skype: edulix2
> http://agoravoting.org       @agoravoting     +34 634 571 634
>

Received on Saturday, 20 September 2014 17:01:11 UTC