Re: [Integrity] typos with ni URIs

Martin Thomson <martin.thomson@gmail.com> wrote:
> I know a lot of base64 libs accept the '+/' and '-_' variants
> interchangeably as well.  Is that something that should be accepted or
> not?

It's probably best for webappsec specs to choose one syntax (either
regular base64 encoding, or base64url encoding), and use it
everywhere.

> For new stuff, I consider Postel's "accept any old trash" maxim as bad
> advice; and generally consider it to be fatalistic when it comes to
> old junk,

I understand how this could be considered an application of Postel's
rule, which I also don't generally agree with, but...

> recogizing the that at some point correctness has to yield
> to interoperability.  Is ni:// that decrepit already?

I think it might be the case that the specification of ni:/// URLs is
unnecessarily strict in saying that the digest must be encoded without
the "=" padding characters. Note that this is a difference in design
styles between IETF and WHATWG/W3C.

Personally, I think that SRI shouldn't use ni:/// URLs at all, because
the ni:/// syntax is noisy and problematic (e.g. the use of ";" to
delimit parameters) when used in webappsec specs like CSP.
Consequently, perhaps the use of ni:/// URLs should be replaced with
something better.

Cheers,
Brian

Received on Monday, 19 January 2015 05:37:28 UTC