Re: Verified Javascript: Proposal from Jeffrey Yasskin on 2017-04-26 (public-webappsec@w3.org from April 2017)

From: Jeffrey Yasskin <jyasskin@google.com>
Date: Wed, 26 Apr 2017 08:36:23 -0700
To: Eduardo Robles Elvira <edulix@nvotes.com>
Cc: Daniel Huigens <d.huigens@gmail.com>, public-webappsec <public-webappsec@w3.org>, Brad Hill <hillbrad@gmail.com>
Message-ID: <CANh-dXn-98=aWZkMDi_KkDwE4uPf7b_CW8QO8OQaRcmdOuaDYA@mail.gmail.com>

On Tue, Apr 25, 2017 at 2:19 AM, Eduardo Robles Elvira <edulix@nvotes.com>
wrote:

> Hello:
>
> Thanks for the work and the proposal Daniel, I think "HTTPS Content
> Signing" (HCS) could be very useful in some websites that value highly
> transparency and trust..
>
> > I wonder how the logged certificates would be used. I would expect web
> apps to update several times a day, or even per hour. How would a user tell
> the difference between a bug fix / feature release on the one hand, and
> something malicious (from their PoV) on the other hand?
>
> This can happen already today if you try to download frequently a page
> source code and diff for changes. It is just not verifiable publicly and
> perhaps more cumbersome.
>
> In any case, even if HCS was to be made into a standard, it won't fit all
> use-cases. If you don't see any advantage to this technology, you could
> just not use it right? I certainly wouldn't find reasonable to force the
> usage of HCS of all web pages and all web sites.
>

Daniel's asking to build HCS into browsers, which means he's asking lots of
other people to do work for him
<https://wiki.whatwg.org/wiki/FAQ#Where.27s_the_harm_in_adding.E2.80.94>.
We have to decide whether the potential benefit is worth that work, and if
it's only appropriate for very few use cases, it's probably not worth it.

Now, HCS is not the only way to achieve its goals. Brad Hill proposed
another way, that would likely work for more kinds of sites, and even
Brad's proposal might not be the best option.

We should follow the WHATWG's proposal process, described at
https://wiki.whatwg.org/wiki/FAQ#Is_there_a_process_for_adding_new_features_to_a_specification.3F:
describe the threat model that we want a defense against, and the kinds of
infrastructure that should be able to deploy the solution, and then look
for defenses against those threats that can be deployed by those kinds of
infrastructure.

The https://github.com/twiss/hcs repository would be a good place to start
that requirements document if you're interested in pursuing it, or Brad
might already have a document started somewhere else.

Jeffrey

Received on Wednesday, 26 April 2017 15:37:19 UTC