Re: Signatures from Mike West on 2015-12-09 (public-webappsec@w3.org from December 2015)

From: Mike West <mkwst@google.com>
Date: Wed, 9 Dec 2015 10:01:38 +0100
To: "Sean B. Palmer" <sean@miscoranda.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Joel Weinberger <jww@google.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, Frederik Braun <fbraun@mozilla.com>, Francois Marier <francois@mozilla.com>
Message-ID: <CAKXHy=ed8srB6A-pa-Q9DBfHXbg40=fhsgQwzyALbo3n=31z2w@mail.gmail.com>

Hi Sean!

Signature-based integrity is indeed something that I hope the SRI editors
are thinking about. We discussed such a notion at our last face-to-face
meeting, and I think there was general agreement that it was a good
direction to explore (the notes at
http://www.w3.org/2015/10/28-webappsec-minutes#item07 aren't wonderful, but
you get the idea).

CCing the editors of that document, as I expect them to have feedback for
you.

-mike

-mike

On Wed, Dec 9, 2015 at 9:56 AM, Sean B. Palmer <sean@miscoranda.com> wrote:

> Yesterday I published an Internet-Draft for discussion which proposes
> a method for associating web resources with cryptographic digital
> signatures:
>
> https://www.ietf.org/id/draft-palmer-signature-link-relation-00.txt
>
> Michael Smith directed me to this group as working on a relevant
> technology, Subresource Integrity. I would like to suggest two things:
>
> * That the "integrity" attribute should come with a counterpart link
> relation for use in the "Link" HTTP header and "rel" HTML attribute.
> * That the "signature" link relation and some signature counterpart to
> "integrity" may have a place in your Subresource Integrity work.
>
> I understand that the work is advanced, being at the CR phase within
> the W3C. But I would not like to produce a solution to the problem of
> signature verification in complete independence from your work, and I
> therefore solicit your feedback.
>
> --
> Sean B. Palmer
>
>

Received on Wednesday, 9 December 2015 09:02:28 UTC