- From: Joel Weinberger <jww@chromium.org>
- Date: Wed, 09 Dec 2015 22:48:18 +0000
- To: "Sean B. Palmer" <sean@miscoranda.com>, Devdatta Akhawe <dev.akhawe@gmail.com>
- Cc: Mike West <mkwst@google.com>, Francois Marier <francois@mozilla.com>, Frederik Braun <fbraun@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAHQV2K=SN6iEUev5DcB1EWxom8cYZmT9ZB05s5z7UPaj4xPWSA@mail.gmail.com>
Thanks, Sean. I think the GitHub issue is a good place to start and hash out particular ideas, and when we have some concrete proposals, we'll come back over here for further discussion. --Joel On Wed, Dec 9, 2015 at 6:57 AM Sean B. Palmer <sean@miscoranda.com> wrote: > Thanks, I have done as you suggested: > > https://github.com/w3c/webappsec/issues/449#issuecomment-163279813 > > I'm happy to discuss this in either forum, here or on GitHub or both. > > On Wed, Dec 9, 2015 at 1:42 PM, Devdatta Akhawe <dev.akhawe@gmail.com> > wrote: > > Hey Sean > > > > Thanks for emailing! We are talking about this on > > https://github.com/w3c/webappsec/issues/449 > > > > Maybe you can chime in with your thoughts? > > > > I think most valuable would be input on why cryptographic hashes aren't > > sufficient for the use case you are interested in (downloads). And, why > some > > of the other solutions like nonce + hmac proposed in the issue don't work > > either. This will help everyone understand the value of signatures. > > > > Cheers > > Dev > > > > On Dec 9, 2015 1:01 AM, "Mike West" <mkwst@google.com> wrote: > >> > >> Hi Sean! > >> > >> Signature-based integrity is indeed something that I hope the SRI > editors > >> are thinking about. We discussed such a notion at our last face-to-face > >> meeting, and I think there was general agreement that it was a good > >> direction to explore (the notes at > >> http://www.w3.org/2015/10/28-webappsec-minutes#item07 aren't > wonderful, but > >> you get the idea). > >> > >> CCing the editors of that document, as I expect them to have feedback > for > >> you. > >> > >> -mike > >> > >> -mike > >> > >> On Wed, Dec 9, 2015 at 9:56 AM, Sean B. Palmer <sean@miscoranda.com> > >> wrote: > >>> > >>> Yesterday I published an Internet-Draft for discussion which proposes > >>> a method for associating web resources with cryptographic digital > >>> signatures: > >>> > >>> https://www.ietf.org/id/draft-palmer-signature-link-relation-00.txt > >>> > >>> Michael Smith directed me to this group as working on a relevant > >>> technology, Subresource Integrity. I would like to suggest two things: > >>> > >>> * That the "integrity" attribute should come with a counterpart link > >>> relation for use in the "Link" HTTP header and "rel" HTML attribute. > >>> * That the "signature" link relation and some signature counterpart to > >>> "integrity" may have a place in your Subresource Integrity work. > >>> > >>> I understand that the work is advanced, being at the CR phase within > >>> the W3C. But I would not like to produce a solution to the problem of > >>> signature verification in complete independence from your work, and I > >>> therefore solicit your feedback. > >>> > >>> -- > >>> Sean B. Palmer > >>> > >> > > > > > > -- > Sean B. Palmer, http://inamidst.com/sbp/ >
Received on Wednesday, 9 December 2015 22:48:56 UTC