- From: Dave Raggett <dsr@w3.org>
- Date: Tue, 02 Apr 2013 17:59:02 +0100
- To: Robin Berjon <robin@w3.org>
- CC: public-sysapps@w3.org, John Lyle <john.lyle@cs.ox.ac.uk>
On 02/04/13 16:46, Robin Berjon wrote: > On 02/04/2013 13:30 , Dave Raggett wrote: >> I would like to hear more about the issues around using signing. > > I don't want to cast undue aspersions as to various ways in which > signing may be used in SysApps. > > It's just that as a developer, my experience with anything that has > required signing (and for which I've been in the loop, as opposed to it > happening under the hood somewhere) has been nothing short of appalling. > > It might be that it's mostly been a tooling issue. Signing is not > something you would normally do by hand, so it's always tool-leveraged. > It's therefore possible that my experience (and, I'm sure, that of > others) stems from the tools being terrible; and it might therefore be > possible to have non-horrible tools for this. That should be do-able, however, my own experience with signed XML was also horrible. Signed JSON might be much easier. Does anyone have an opinion on the IETF Javascript Object Signing and Encryption (jose) working group and the corresponding draft: http://datatracker.ietf.org/wg/jose/charter/ http://datatracker.ietf.org/doc/draft-ietf-jose-json-web-signature/ However, signing the byte sequence forming the downloaded manifest file sounds much easier and would protect against a man in the middle attack when checking with the origin server. I think this needs the server's public key to be included in the manifest, but there isn't a need for signing the packaged app up front, which should alleviate your concern. If as suggested we have a list of permitted IRIs for XHR and web sockets, this could be confirmed at install time by checking with the server associated with the alleged origin that this manifest, and by implication, this packaged app is to be trusted for this origin and access to those hosts. You could then download the packaged app from anywhere, and be able to confirm that it hasn't been tampered with, and is in fact the same as the app that the origin server vouches for. I would be interested in John's thoughts on this. -- Dave Raggett <dsr@w3.org> http://www.w3.org/People/Raggett
Received on Tuesday, 2 April 2013 16:59:28 UTC