- From: timeless <timeless@gmail.com>
- Date: Thu, 16 Feb 2012 08:11:06 -0500
- To: public-identity@w3.org
One thing that NetFlix brought up which I'm hitting in [1] is the
ability to enable public caching of "signed" content.
Roughly, this is something like:
getCachableBlobViaHttp(http_url, handleSuspectBlob)
function handleSuspectBlob(suspectBlob) {
navigator.crypto.detaintWithSignatureCheckedAgainstCAList(suspectBlob,
limitedListOfCAs, detaintCallback);
}
function detaintCallback(detaintedBlobOrNull, signingCert, suspectBlob) {
if (detaintedBlobOrNull) {
/* yay, the resource as detaintedBlobOrNull can be used to not void
the Blue/Green/Purple seal on our web page */
myImage.src = convertBlobToURL(detaintedBlobOrNull);
}
}
To make a purple state (instead of Blue/Green), I'm envisioning a call:
navigator.crypto.loadPageWithStrictResourceSignatures(limitedListOfCAs,
optionalURLdefaultingToCurrentURLifNull) which would cause the page to
navigate to optionalURLdefaultingToCurrentURLifNull and the only HTML,
CSS, or Images that could load would be from limitedListOfCAs. XHR to
other resources would be allowed but would be tainting (breaking the
purple seal) unless they were passed via
navigator.crypto.detaintWithSignatureCheckedAgainstCAList.
This isn't something I'm a big fan of, but I think it enables the UC
that NetFlix has in mind as well as NFC cards...
There's some overlap to WebApps or WebAppsSec and possibly HTML.
Perhaps this sort of thing is already in scope for WebAppsSec - I
haven't looked there....
[1] http://lists.w3.org/Archives/Public/public-device-apis/2012Feb/0051.html
--
Sent from my mobile device
Received on Thursday, 16 February 2012 13:11:35 UTC