- From: Francois Marier <francois@mozilla.com>
- Date: Wed, 31 Dec 2014 12:07:01 +1300
- To: public-webappsec@w3.org
On 31/12/14 07:12, Brad Hill wrote: > I also think there is a third way to handle deprecated algorithms - the > way we handle them for SSL today - fail open and show a warning to > encourage operators to perform necessary maintenance, then, after a > reasonable time, fail closed. There are two cases [1] to think about: 1. <script integrity="ni:///sha-512;foo"> for a modern browser that no longer considers that hash algorithm secure 2. <script integrity="ni:///sha-1024;foo"> for an older browser that doesn't know about this new hash algorithm I think you're suggesting we fail open (for a time anyways) in the first case by keeping a list of known-but-no-longer-trusted hash algorithms. I can draft a pull request for this. What should we do for completely unknown hash algorithms? (i.e. case 2 with old browsers) Dev suggested that perhaps failing open is the only sane way to let site admins support the long tail of browsers. Francois [1] In both cases, the result of the metadata list parsing algorithm in the spec is the empty string: there is integrity metadata, but the browser doesn't support any of it.
Received on Tuesday, 30 December 2014 23:07:32 UTC