- From: Amir Herzberg <amir.herzberg@gmail.com>
- Date: Wed, 2 Feb 2022 13:40:23 -0500
- To: public-webappsec@w3.org
- Message-ID: <CAHBw0M_KjSXqJvg+vVgBVGr3gS+cfw6g4AO-VLCQBRitzhMr9A@mail.gmail.com>
Hi, I'm updating my web-security presentation for my net-sec class, and think of covering SRI. There's a question I'm curios about. The draft uses hash based authentication, but doesn't seem to offer an option for using signatures. I can see a performance concern for the use of signatures (validation, mostly), but in a common use case, signatures seem to be more applicable (allowing a cached web-page to use periodically modified resources from a not-fuly-trusted CDN, for example). So I'm interested to learn if this was a decision by the WG, and, if it was, what were the considerations. A url to relevant email/thread would be helpful; I tried searching the archive but in vain. Many thanks! Amir p.s. I'm sending this to the public mailing list but I'm not subscribed, so please respond to my personal email, thanks. -- Amir Herzberg Comcast professor of Security Innovations, Computer Science and Engineering, University of Connecticut Homepage: https://sites.google.com/site/amirherzberg/home `Applied Introduction to Cryptography' textbook and lectures: https://sites.google.com/site/amirherzberg/applied-crypto-textbook <https://sites.google.com/site/amirherzberg/applied-crypto-textbook>
Received on Wednesday, 2 February 2022 18:40:48 UTC