W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2015

Re: Signatures

From: Sean B. Palmer <sean@miscoranda.com>
Date: Wed, 9 Dec 2015 14:57:52 +0000
Message-ID: <CAH3-oEfTCRpahPG8T_D+-iT9UZzjJNsJgGDpWP5+Q6ww7wb+9Q@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Mike West <mkwst@google.com>, Joel Weinberger <jww@google.com>, Francois Marier <francois@mozilla.com>, Frederik Braun <fbraun@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Thanks, I have done as you suggested:


I'm happy to discuss this in either forum, here or on GitHub or both.

On Wed, Dec 9, 2015 at 1:42 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
> Hey Sean
> Thanks for emailing! We are talking about this on
> https://github.com/w3c/webappsec/issues/449
> Maybe you can chime in with your thoughts?
> I think most valuable would be input on why cryptographic hashes aren't
> sufficient for the use case you are interested in (downloads). And, why some
> of the other solutions like nonce + hmac proposed in the issue don't work
> either. This will help everyone understand the value of signatures.
> Cheers
> Dev
> On Dec 9, 2015 1:01 AM, "Mike West" <mkwst@google.com> wrote:
>> Hi Sean!
>> Signature-based integrity is indeed something that I hope the SRI editors
>> are thinking about. We discussed such a notion at our last face-to-face
>> meeting, and I think there was general agreement that it was a good
>> direction to explore (the notes at
>> http://www.w3.org/2015/10/28-webappsec-minutes#item07 aren't wonderful, but
>> you get the idea).
>> CCing the editors of that document, as I expect them to have feedback for
>> you.
>> -mike
>> -mike
>> On Wed, Dec 9, 2015 at 9:56 AM, Sean B. Palmer <sean@miscoranda.com>
>> wrote:
>>> Yesterday I published an Internet-Draft for discussion which proposes
>>> a method for associating web resources with cryptographic digital
>>> signatures:
>>> https://www.ietf.org/id/draft-palmer-signature-link-relation-00.txt
>>> Michael Smith directed me to this group as working on a relevant
>>> technology, Subresource Integrity. I would like to suggest two things:
>>> * That the "integrity" attribute should come with a counterpart link
>>> relation for use in the "Link" HTTP header and "rel" HTML attribute.
>>> * That the "signature" link relation and some signature counterpart to
>>> "integrity" may have a place in your Subresource Integrity work.
>>> I understand that the work is advanced, being at the CR phase within
>>> the W3C. But I would not like to produce a solution to the problem of
>>> signature verification in complete independence from your work, and I
>>> therefore solicit your feedback.
>>> --
>>> Sean B. Palmer

Sean B. Palmer, http://inamidst.com/sbp/
Received on Wednesday, 9 December 2015 14:58:25 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:53 UTC