Re: [SRI] To trust or not to trust a CDN from Frederik Braun on 2014-10-30 (public-webappsec@w3.org from October 2014)

From: Frederik Braun <fbraun@mozilla.com>
Date: Thu, 30 Oct 2014 09:49:26 +0100
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <5451FB96.4070306@mozilla.com>

On 29.10.2014 16:27, Joel Weinberger wrote:
> 
> 
> On Wed, Oct 29, 2014 at 7:30 AM, Hatter Jiang OWS
> <hatter@openwebsecurity.org <mailto:hatter@openwebsecurity.org>> wrote:
> 
>     Is it possible use signature in SRI:
> 
>     <script src="https://cdn.example.com/some.js"
>            
>     integrity="key:///rsa;public-key-in-base64?ct=application/javascript">
> 
>     The resource should contain a header name: Content-Signature
>     like http://tools.ietf.org/html/draft-burke-content-signature-00
> 
>     The user agent just verify the resource use RSA public key. 
> 
> 

Signatures give us authenticity. All we want is integrity (for now).

I don't think we will enter the land of signatures any time soon. It
also brings a lot of other problems (e.g. key attribution).

Received on Thursday, 30 October 2014 08:49:59 UTC