Re: [w3c/manifest] Add field: public key (certificate) (#930)

> I don't quite see how this addresses the Signal use case. The manifest itself still has to be requested, and by the time that happens the site has usually fully loaded. At what point would any key specified in the manifest be used? In what way should it be used?

There is no perfect solution of this chicken and egg problem. There needs to be some _trust_ at some point. Usually this is done in the installation step (downloading the installer from the website, setting up apt repository keys, ...). As common with traditional distribution models (public key displayed on website along the download, apt keys published via twitter, ...), browsers should show this public key in the PWA installation dialog for verification over another channel.

After installation, all future traffic is protected with implementation of this proposal:
- safe updates
- safe download of web sites/assets
- safe communication (e.g. XHR)

> This feels like more of a [Web Bundles](https://web.dev/web-bundles/) issue than a manifest thing.

In addition to the browser based installation approach, _safe distribution_ via other channels (app stores, bundles etc.) would be as easy as submitting a link to the manifest since the manifest contains _all_ necessary data.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/manifest/issues/930#issuecomment-662306714

Received on Wednesday, 22 July 2020 08:02:11 UTC