Re: Proposal: not-a-scheme digest URI scheme, with graceful degradation from Eduardo Robles Elvira on 2014-09-20 (public-webappsec@w3.org from September 2014)

From: Eduardo Robles Elvira <edulix@agoravoting.com>
Date: Sat, 20 Sep 2014 19:15:54 +0200
To: Brad Hill <hillbrad@gmail.com>
Cc: Julian Reschke <julian.reschke@gmx.de>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAHwZu3fwEmnCHjxsD+Z=BzV0hswJd932q2Y=-AEBRhJaHJFM3Q@mail.gmail.com>

On Sat, Sep 20, 2014 at 7:00 PM, Brad Hill <hillbrad@gmail.com> wrote:
> The proxy domain idea is pretty difficult to fit into existing models
> for how browsers and the web work, it creates some rather large issues
> with origin-based security used everywhere on the web, and it only
> works for downloads.  I believe we're on a more flexible and
> compatible track with the SRI approach, and I'm not sure I understand
> why you think it doesn't meet the high-level goals you want.  We're
> trying to solve problems for users, not create or support arbitrary
> new schemes just for the sake of doing so.  Using a subset of ni: uri
> features to convey integrity metadata as HTML attributes provides
> protection to users with browsers that support it and is ignored by
> those that don't, at much lower complexity cost than your proposal.
>
> Regards,
>
> Brad Hill

Hello Brad:

I'm sorry I haven't make this clear in my last email: once I've seen
the RFC6920 and specifically the .well-known URI ni suffixes, I have
understood that my proposal is not needed anymore because RFC6920
solves the same problem in a much better way. So  I agree with you: my
proposal not a good solution (I started rightout saying it's hacky
:-), and there's an RFC that proposes a better solution. An RFC about
an URI scheme that is in fact being used by SRI to check integrity.
Awesome.

That's why at this point I'm quite satisfied in general with SRI and
RFC6920, and I apologize again for making noise in the mailing list as
a learning mechanism, that was not my intention, and only as result of
not doing due diligence on standard-checking before making the
proposal.

My only question is, what level of support are browser vendors going
to add to their web-browsers around RFC6920 and .well-known URIs, can
I assume that in the not-so-distant future I will be able to enter a
.well-known URI and my web browser will check its integrity and warn
me if it is incorrect? Anyhow, of course this could be done by a
browser extension, and in fact I have found at least one browser
extension that goes in that direction: http://nuvl.org/ni/index.html .
If browser-vendors do not wish to add first-class support for
.well-known URIs, I'd go for the browser extension route and push that
in security conscious browsers like tor-browser and the like.

Regards,
-- 
Eduardo Robles Elvira     @edulix             skype: edulix2
http://agoravoting.org       @agoravoting     +34 634 571 634

Received on Saturday, 20 September 2014 17:16:52 UTC