- From: timeless <timeless@gmail.com>
- Date: Thu, 15 Mar 2012 23:33:30 -0400
- Cc: "public-identity@w3.org" <public-identity@w3.org>
- Message-ID: <CANAYn0GqZ8KTz8=c4C2GWtKXEvmF2VfngmmCq0Y-nA_FeVQO-w@mail.gmail.com>
On Thursday, February 16, 2012, timeless <timeless@gmail.com> wrote:
> One thing that NetFlix brought up which I'm hitting in [1] is the
> ability to enable public caching of "signed" content.
>
> Roughly, this is something like:
>
> getCachableBlobViaHttp(http_url, handleSuspectBlob)
>
> function handleSuspectBlob(suspectBlob) {
> navigator.crypto.detaintWithSignatureCheckedAgainstCAList(suspectBlob,
> limitedListOfCAs, detaintCallback);
> }
>
> function detaintCallback(detaintedBlobOrNull, signingCert, suspectBlob) {
> if (detaintedBlobOrNull) {
> /* yay, the resource as detaintedBlobOrNull can be used to not void
> the Blue/Green/Purple seal on our web page */
> myImage.src = convertBlobToURL(detaintedBlobOrNull);
> }
> }
>
> To make a purple state (instead of Blue/Green), I'm envisioning a call:
> navigator.crypto.loadPageWithStrictResourceSignatures(limitedListOfCAs,
> optionalURLdefaultingToCurrentURLifNull) which would cause the page to
> navigate to optionalURLdefaultingToCurrentURLifNull and the only HTML,
> CSS, or Images that could load would be from limitedListOfCAs. XHR to
> other resources would be allowed but would be tainting (breaking the
> purple seal) unless they were passed via
> navigator.crypto.detaintWithSignatureCheckedAgainstCAList.
>
> This isn't something I'm a big fan of, but I think it enables the UC
> that NetFlix has in mind as well as NFC cards...
>
> There's some overlap to WebApps or WebAppsSec and possibly HTML.
>
> Perhaps this sort of thing is already in scope for WebAppsSec - I
> haven't looked there....
>
> [1]
http://lists.w3.org/Archives/Public/public-device-apis/2012Feb/0051.html
>
> --
> Sent from my mobile device
>
Received on Friday, 16 March 2012 03:33:59 UTC