- From: Nick Doty via GitHub <sysbot+gh@w3.org>
- Date: Mon, 10 Jul 2023 20:40:21 +0000
- To: public-dxwg-wg@w3.org
It's an improvement to at least have these concerns noted in the spec. By convention (and to make it parallel with the following section), I would suggest "Security and Privacy Considerations" as a title. I think "is also not guaranteed" should be "is not also guaranteed". You might describe addressing these concerns at both the application level and the transport level -- that may be what you mean, but we would note in the Web context that an attacker could tamper with the contents between the server and client if a security-sensitive property like a checksum were delivered over an insecure transport. This text seems to suggest that the checksum value and algorithm aren't typically sufficient for calculating and comparing checksums and that separately a publisher should provide instructions so that a checksum can be accurately calculated. Have there been interoperable implementations that do calculate and compare these checksums? Or is it just a case-by-case manual review of the documentation and then calculation of a checksum? If the latter, I'm not clear what interoperability we are getting by adding it to the spec. (Apologies for my belated review and follow-up.) -- GitHub Notification of comment by npdoty Please view or discuss this issue at https://github.com/w3c/dxwg/issues/1526#issuecomment-1629699419 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 10 July 2023 20:40:23 UTC