W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2014

Re: Couple comments on Subresource Integrity

From: Trevor Perrin <trevp@trevp.net>
Date: Mon, 24 Mar 2014 23:10:27 -0700
Message-ID: <CAGZ8ZG0T5k9M+6ywRQmcr-Oy90ELdizfHk1=EuBGfjbGLLFPtA@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi Brad,

On Mon, Mar 24, 2014 at 9:27 PM, Brad Hill <hillbrad@gmail.com> wrote:
> Because it's a standard, so we don't re-invent the wheel every time we or
> someone else does something like this.

It's an RFC, but I'm not aware of anyone using it.

>  And maybe it's 20 pages because it
> went through a cycle of peer review at the IETF that addressed hopefully
> most of the issues and edge cases that we would probably painfully
> recapitulate, one at a time, over the next year if we did just try another
> one-off.

What are some issues and edge cases you think it's solving?

6920 has an IANA registry for hash algorithms, but doesn't include
SHA-512, one of your mandatory algorithms.  It does have SHA-256
truncated at different levels.  But it doesn't give meaningful
guidance on when this is safe.  So if you want to allow truncation,
you'll still have to discuss it yourself.

6920 lets you specify content-type.  But why wouldn't you save those
bytes and hash the content-type?

I'm still not seeing what this gives you.

Received on Tuesday, 25 March 2014 06:10:54 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:38 UTC