W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2015

Re: Signatures

From: Joel Weinberger <jww@chromium.org>
Date: Wed, 09 Dec 2015 22:48:18 +0000
Message-ID: <CAHQV2K=SN6iEUev5DcB1EWxom8cYZmT9ZB05s5z7UPaj4xPWSA@mail.gmail.com>
To: "Sean B. Palmer" <sean@miscoranda.com>, Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Mike West <mkwst@google.com>, Francois Marier <francois@mozilla.com>, Frederik Braun <fbraun@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Thanks, Sean. I think the GitHub issue is a good place to start and hash
out particular ideas, and when we have some concrete proposals, we'll come
back over here for further discussion.
--Joel

On Wed, Dec 9, 2015 at 6:57 AM Sean B. Palmer <sean@miscoranda.com> wrote:

> Thanks, I have done as you suggested:
>
> https://github.com/w3c/webappsec/issues/449#issuecomment-163279813
>
> I'm happy to discuss this in either forum, here or on GitHub or both.
>
> On Wed, Dec 9, 2015 at 1:42 PM, Devdatta Akhawe <dev.akhawe@gmail.com>
> wrote:
> > Hey Sean
> >
> > Thanks for emailing! We are talking about this on
> > https://github.com/w3c/webappsec/issues/449
> >
> > Maybe you can chime in with your thoughts?
> >
> > I think most valuable would be input on why cryptographic hashes aren't
> > sufficient for the use case you are interested in (downloads). And, why
> some
> > of the other solutions like nonce + hmac proposed in the issue don't work
> > either. This will help everyone understand the value of signatures.
> >
> > Cheers
> > Dev
> >
> > On Dec 9, 2015 1:01 AM, "Mike West" <mkwst@google.com> wrote:
> >>
> >> Hi Sean!
> >>
> >> Signature-based integrity is indeed something that I hope the SRI
> editors
> >> are thinking about. We discussed such a notion at our last face-to-face
> >> meeting, and I think there was general agreement that it was a good
> >> direction to explore (the notes at
> >> http://www.w3.org/2015/10/28-webappsec-minutes#item07 aren't
> wonderful, but
> >> you get the idea).
> >>
> >> CCing the editors of that document, as I expect them to have feedback
> for
> >> you.
> >>
> >> -mike
> >>
> >> -mike
> >>
> >> On Wed, Dec 9, 2015 at 9:56 AM, Sean B. Palmer <sean@miscoranda.com>
> >> wrote:
> >>>
> >>> Yesterday I published an Internet-Draft for discussion which proposes
> >>> a method for associating web resources with cryptographic digital
> >>> signatures:
> >>>
> >>> https://www.ietf.org/id/draft-palmer-signature-link-relation-00.txt
> >>>
> >>> Michael Smith directed me to this group as working on a relevant
> >>> technology, Subresource Integrity. I would like to suggest two things:
> >>>
> >>> * That the "integrity" attribute should come with a counterpart link
> >>> relation for use in the "Link" HTTP header and "rel" HTML attribute.
> >>> * That the "signature" link relation and some signature counterpart to
> >>> "integrity" may have a place in your Subresource Integrity work.
> >>>
> >>> I understand that the work is advanced, being at the CR phase within
> >>> the W3C. But I would not like to produce a solution to the problem of
> >>> signature verification in complete independence from your work, and I
> >>> therefore solicit your feedback.
> >>>
> >>> --
> >>> Sean B. Palmer
> >>>
> >>
> >
>
>
>
> --
> Sean B. Palmer, http://inamidst.com/sbp/
>
Received on Wednesday, 9 December 2015 22:48:56 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:53 UTC