- From: Lennie <notifications@github.com>
- Date: Tue, 03 Mar 2015 06:58:56 -0800
- To: w3ctag/packaging-on-the-web <packaging-on-the-web@noreply.github.com>
Received on Tuesday, 3 March 2015 14:59:23 UTC
Sorry to bother, I don't know the use-case for packaging but: Instead of a new format, why not make it transport agnostic ? Why not sign the content instead of the package ? If you sign the content, you can deliver it piece meal over HTTPS for example as well. For example I believe the research project Mylar signs HTML. An other idea would be to sign a manifest file (might not be very popular word anymore because of HTML5 offline support). In the manifest file you can include: the hash of each file, which files don't need to be signed because they are dynamic (like offline support), a certificate and a signature. Although my gut feeling is policy should be included in the HTML-file as a CSP-header in a meta http-equiv tag instead. I know webappsec now has subresource Integrity, but not having to refer to a hash in every HTML-file might be easier, so a manifest file could still be useful. It's just some thoughts. --- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/packaging-on-the-web/issues/21#issuecomment-76960628
Received on Tuesday, 3 March 2015 14:59:23 UTC