- From: Eduardo Robles Elvira <edulix@agoravoting.com>
- Date: Sat, 20 Sep 2014 19:15:54 +0200
- To: Brad Hill <hillbrad@gmail.com>
- Cc: Julian Reschke <julian.reschke@gmx.de>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Sat, Sep 20, 2014 at 7:00 PM, Brad Hill <hillbrad@gmail.com> wrote: > The proxy domain idea is pretty difficult to fit into existing models > for how browsers and the web work, it creates some rather large issues > with origin-based security used everywhere on the web, and it only > works for downloads. I believe we're on a more flexible and > compatible track with the SRI approach, and I'm not sure I understand > why you think it doesn't meet the high-level goals you want. We're > trying to solve problems for users, not create or support arbitrary > new schemes just for the sake of doing so. Using a subset of ni: uri > features to convey integrity metadata as HTML attributes provides > protection to users with browsers that support it and is ignored by > those that don't, at much lower complexity cost than your proposal. > > Regards, > > Brad Hill Hello Brad: I'm sorry I haven't make this clear in my last email: once I've seen the RFC6920 and specifically the .well-known URI ni suffixes, I have understood that my proposal is not needed anymore because RFC6920 solves the same problem in a much better way. So I agree with you: my proposal not a good solution (I started rightout saying it's hacky :-), and there's an RFC that proposes a better solution. An RFC about an URI scheme that is in fact being used by SRI to check integrity. Awesome. That's why at this point I'm quite satisfied in general with SRI and RFC6920, and I apologize again for making noise in the mailing list as a learning mechanism, that was not my intention, and only as result of not doing due diligence on standard-checking before making the proposal. My only question is, what level of support are browser vendors going to add to their web-browsers around RFC6920 and .well-known URIs, can I assume that in the not-so-distant future I will be able to enter a .well-known URI and my web browser will check its integrity and warn me if it is incorrect? Anyhow, of course this could be done by a browser extension, and in fact I have found at least one browser extension that goes in that direction: http://nuvl.org/ni/index.html . If browser-vendors do not wish to add first-class support for .well-known URIs, I'd go for the browser extension route and push that in security conscious browsers like tor-browser and the like. Regards, -- Eduardo Robles Elvira @edulix skype: edulix2 http://agoravoting.org @agoravoting +34 634 571 634
Received on Saturday, 20 September 2014 17:16:52 UTC