[SRI] Reserving the "authority" component of NI URIs for later use?

I filed https://github.com/w3c/webappsec/pull/124 after carefully
re-reading RFC 6920.

The first commit is not controversial but the second one raised some
questions:


https://github.com/fmarier/webappsec/commit/1b5e6b0d3c40cfb3ede6d40b5f6d849c048b79b5

We don't currently use the "authority" field in NI URIs (e.g.
"ni://authority.com/sha-256;foo") and we could either:

1. require that it be empty (i.e. the presence of an authority makes the
URI invalid)

2. require that user agents ignore it if present (i.e. URIs with
authority can be valid)

I have a slight preference for #2 in case we find a good use for it in a
future version of the SRI spec.

Does anybody have thoughts on this?

Francois

Received on Sunday, 18 January 2015 00:20:30 UTC