[w3ctag/packaging-on-the-web] Can a package be authenticated to come from a particular secure origin? (#30) from Jeffrey Yasskin on 2016-07-28 (public-webapps-github@w3.org from July 2016)

From: Jeffrey Yasskin <notifications@github.com>
Date: Thu, 28 Jul 2016 16:33:26 -0700
To: w3ctag/packaging-on-the-web <packaging-on-the-web@noreply.github.com>
Message-ID: <w3ctag/packaging-on-the-web/issues/30@github.com>

One use of this packaging format could be to let folks exchange websites offline. However, if I copy a package from you and open it, and it wants to do something like install a service worker or record video, it needs to live in a [secure context](https://w3c.github.io/webappsec-secure-contexts/), meaning the browser needs a cryptographically secure signature vouching that a particular origin created the package. Has anyone thought about how to embed that signature and its certificate chain into a package? Can the HTTPS client extract a trustworthy signature automatically, or does it need the server's cooperation?

@talo @slightlyoff 

---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/packaging-on-the-web/issues/30

Received on Thursday, 28 July 2016 23:34:11 UTC