Re: Security use cases for packaging from Yan Zhu on 2015-01-30 (public-webapps@w3.org from January to March 2015)

From: Yan Zhu <yzhu@yahoo-inc.com>
Date: Fri, 30 Jan 2015 06:34:16 +0000 (UTC)
To: Michaela Merz <michaela.merz@hermetos.com>, "public-webapps@w3.org" <public-webapps@w3.org>
Message-ID: <279193332.1729242.1422599656518.JavaMail.yahoo@mail.yahoo.com>

"packaging and complicated signing" is routine for most installable web apps and browser extensions; see https://developer.mozilla.org/en-US/docs/Signing_a_XPI for instance. Developers who build those might actually want the process to be less complicated. 

Given that the packaging spec lists installable web apps as a use case, it should probably define a signature format.

-Yan

On Thursday, January 29, 2015 7:12 PM, Michaela Merz <michaela.merz@hermetos.com> wrote:

Pardon my french, but the whole idea is ridiculous. Web development is
fluid and flexible. While I most certainly understand the idea and the
need for secured loadable code (AFAIK I brought up this issue about 2
months ago), packaging and complicated signing is counter productive.
What about external scripts like jquery? Do I really need to download a
complete package because I fixed a stupid typo in one of the scripts?

Maybe I am completely on the wrong track here (please correct me if I
am) - but I think signed code should be handled completely different -
thus preserving the flexibility of the LAMP/Script environment as we
know it.

Michaela

On 01/30/2015 03:22 AM, Daniel Kahn Gillmor wrote:
> On Thu 2015-01-29 20:14:59 -0500, Yan Zhu wrote:
>> A signed manifest-like package description that lists the hash and
>> location of every resource seems fine as long as all the resources are
>> downloaded and verified before running the app. Perhaps this kills
>> some of the performance benefits motivating packaging in the first
>> place. :(
> Why would you need to fetch all the pieces before running the app?
> Consider a manifest includes an integrity check covering resources X, Y,
> and Z, but X is the only bit of code that runs first, and Y and Z aren't
> loaded.
>
> If you can validate the manifest, then you know you only run X if you've
> verified the manifest and X's integrity.  If the user triggers an action
> that requires resource Y, then you fetch it but don't use it unless it
> matches the integrity check.
>
> (i haven't developed webapps myself for ages, and the idea of a signed
> webapp is relatively new to me, so feel free to explain any obvious part
> that i'm missing)
>
>         --dkg

Received on Friday, 30 January 2015 06:35:09 UTC