W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2015

Re: Signatures

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Wed, 9 Dec 2015 05:42:23 -0800
Message-ID: <CAPfop_1f9t8voLq3Rn5n0Ek00CpUkKX8i-ysrdjUuRega6ni9w@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Joel Weinberger <jww@google.com>, "Sean B. Palmer" <sean@miscoranda.com>, Francois Marier <francois@mozilla.com>, Frederik Braun <fbraun@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Hey Sean

Thanks for emailing! We are talking about this on
https://github.com/w3c/webappsec/issues/449

Maybe you can chime in with your thoughts?

I think most valuable would be input on why cryptographic hashes aren't
sufficient for the use case you are interested in (downloads). And, why
some of the other solutions like nonce + hmac proposed in the issue don't
work either. This will help everyone understand the value of signatures.

Cheers
Dev
On Dec 9, 2015 1:01 AM, "Mike West" <mkwst@google.com> wrote:

> Hi Sean!
>
> Signature-based integrity is indeed something that I hope the SRI editors
> are thinking about. We discussed such a notion at our last face-to-face
> meeting, and I think there was general agreement that it was a good
> direction to explore (the notes at
> http://www.w3.org/2015/10/28-webappsec-minutes#item07 aren't wonderful,
> but you get the idea).
>
> CCing the editors of that document, as I expect them to have feedback for
> you.
>
> -mike
>
> -mike
>
> On Wed, Dec 9, 2015 at 9:56 AM, Sean B. Palmer <sean@miscoranda.com>
> wrote:
>
>> Yesterday I published an Internet-Draft for discussion which proposes
>> a method for associating web resources with cryptographic digital
>> signatures:
>>
>> https://www.ietf.org/id/draft-palmer-signature-link-relation-00.txt
>>
>> Michael Smith directed me to this group as working on a relevant
>> technology, Subresource Integrity. I would like to suggest two things:
>>
>> * That the "integrity" attribute should come with a counterpart link
>> relation for use in the "Link" HTTP header and "rel" HTML attribute.
>> * That the "signature" link relation and some signature counterpart to
>> "integrity" may have a place in your Subresource Integrity work.
>>
>> I understand that the work is advanced, being at the CR phase within
>> the W3C. But I would not like to produce a solution to the problem of
>> signature verification in complete independence from your work, and I
>> therefore solicit your feedback.
>>
>> --
>> Sean B. Palmer
>>
>>
>
Received on Wednesday, 9 December 2015 13:42:52 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:16 UTC