W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2014

Re: Couple comments on Subresource Integrity

From: Trevor Perrin <trevp@trevp.net>
Date: Mon, 24 Mar 2014 20:03:40 -0700
Message-ID: <CAGZ8ZG0u+K-JiGDry_EYLFd5XR-P3Jh0iGEYa=53q6_xsXYv6A@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Mar 24, 2014 at 7:11 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
> Hi Trevor
>> 1) Why does the content-type need to be specified in the link?  Why
>> not just include it as input to the hash?
> I believe this is because the existing RFC already uses the syntax.
> See http://tools.ietf.org/html/rfc6920#section-3.1

Hi Devdatta,

What does the RFC 6920 format give you compared to a simple
algo-specific attribute like sha256="base64...", and then hashing the
content-type followed by a separator char (";") prior to the data?

The 6920 format adds verbosity, parsing, and having to read a 20-page
(?!) doc.  What's the benefit?

Received on Tuesday, 25 March 2014 03:04:07 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:37 UTC