W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2015

Re: Security use cases for packaging

From: Chris Palmer <palmer@google.com>
Date: Thu, 29 Jan 2015 13:16:40 -0800
Message-ID: <CAOuvq22WMOqvREUWe5OEdq7-+ztsTpMdPuYy0UjQdrypV8PV0w@mail.gmail.com>
To: Yan Zhu <yzhu@yahoo-inc.com>
Cc: "public-webapps@w3.org" <public-webapps@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
But other code from the same origin might not be signed, which could
break the security assertion of code signing.

The unit of signing should be the same as the unit of isolation, i.e.
the origin. Or, the origin should be expanded to include a 4th
element, the signing key(s). I don't know how to achieve that in a way
that does not bring with it the operational risks (bricking) of HPKP
and TACK.
Received on Thursday, 29 January 2015 21:17:09 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:27:25 UTC