W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: [SRI] unsupported hashes and invalid metadata

From: Brian Smith <brian@briansmith.org>
Date: Sun, 8 Feb 2015 21:56:54 -0800
Message-ID: <CAFewVt4K4kEyEdWgU2wfS_Jcy67gG0CoB07-rtzf81HU_vp-Yg@mail.gmail.com>
To: Francois Marier <francois@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Francois Marier <francois@mozilla.com> wrote:
> What should we do for completely unknown hash algorithms? (i.e. case 2
> with old browsers) Dev suggested that perhaps failing open is the only
> sane way to let site admins support the long tail of browsers.

Site admins could support the long tail of browsers by specifying
multiple digests such as integrity="sha256:ABC sha3-512:ABC". Older
browsers that don't implement sha3-512 would still enforce the
sha256:ABC digest. A newer browser that doesn't consider (SHA-2)
sha256 secure but which supports sha3-512 would enforce the sha3-512
digest.

Cheers,
Brian
Received on Monday, 9 February 2015 05:57:22 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC