Hi Sean! Signature-based integrity is indeed something that I hope the SRI editors are thinking about. We discussed such a notion at our last face-to-face meeting, and I think there was general agreement that it was a good direction to explore (the notes at http://www.w3.org/2015/10/28-webappsec-minutes#item07 aren't wonderful, but you get the idea). CCing the editors of that document, as I expect them to have feedback for you. -mike -mike On Wed, Dec 9, 2015 at 9:56 AM, Sean B. Palmer <sean@miscoranda.com> wrote: > Yesterday I published an Internet-Draft for discussion which proposes > a method for associating web resources with cryptographic digital > signatures: > > https://www.ietf.org/id/draft-palmer-signature-link-relation-00.txt > > Michael Smith directed me to this group as working on a relevant > technology, Subresource Integrity. I would like to suggest two things: > > * That the "integrity" attribute should come with a counterpart link > relation for use in the "Link" HTTP header and "rel" HTML attribute. > * That the "signature" link relation and some signature counterpart to > "integrity" may have a place in your Subresource Integrity work. > > I understand that the work is advanced, being at the CR phase within > the W3C. But I would not like to produce a solution to the problem of > signature verification in complete independence from your work, and I > therefore solicit your feedback. > > -- > Sean B. Palmer > >Received on Wednesday, 9 December 2015 09:02:28 UTC
This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:16 UTC