W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [SRI] Include sha-384 in the spec?

From: Mike West <mkwst@google.com>
Date: Thu, 8 Jan 2015 10:06:56 +0100
Message-ID: <CAKXHy=eKhjQ9OjF3yC6QG-p5A-6=q_kRSPco5rYhUmc7-ot1EQ@mail.gmail.com>
To: Joel Weinberger <jww@chromium.org>
Cc: Francois Marier <francois@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Seems pretty reasonable to align the two specs. Might as well give some
flexibility in terms of truncation.

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Wed, Jan 7, 2015 at 6:16 PM, Joel Weinberger <jww@chromium.org> wrote:

> Not surprisingly, as the Chromium implementor, I support including
> sha-384. This would also be consistent with the CSP Editor's draft:
> https://w3c.github.io/webappsec/specs/content-security-policy/
>
>
> On Tue Jan 06 2015 at 7:19:48 PM Francois Marier <francois@mozilla.com>
> wrote:
>
>> Should we include sha-384 as a mandatory algorithm to support?
>>
>> The Chromium [1] and Firefox [2] implementations both support it and
>> it's part of CSP Level 2 [3].
>>
>> Francois
>>
>> [1]
>> https://code.google.com/p/chromium/codesearch#chromium/
>> src/third_party/WebKit/Source/core/frame/SubresourceIntegrity.cpp&sq=
>> package:chromium&type=cs&l=66
>>
>> [2]
>> https://bitbucket.org/fmarier/mozilla-central-mq-992096/src/
>> 4a686871b1cda481e8eb6044ee2015438c1ae12b/bug992096.patch?at=
>> default#cl-1115
>>
>> [3] http://www.w3.org/TR/CSP2/#source-list-valid-hashes
>>
>>
Received on Thursday, 8 January 2015 09:07:44 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC