W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2016

Re: Signed and indexed packaging proposal.

From: Brad Hill <hillbrad@gmail.com>
Date: Fri, 18 Nov 2016 02:28:23 +0000
Message-ID: <CAEeYn8ixnOb3pSVkeCr1-OUErVLAn0ZPdgkKPB2QqG-hcLbVjQ@mail.gmail.com>
To: Martin Thomson <mt@mozilla.com>, Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, yan zhu <yan@mit.edu>, Dmitry Titov <dimich@google.com>, Alex Russell <slightlyoff@google.com>
I also can't see the GitHub links from that discussion.

It sounds like this is about extending the set of content that can assert /
enter the security principal for a secure origin to offline packaged
content with an appropriate signature.

The cases that Yan and I are interested in are a bit different.  We would
like to create an application security principal (origin, sub-origin, etc.)
which _only_ a set of specifically identified and limited set of content
can assert.  (with the goal of being able to tell users definitively what
application codebase they are running to prevent partitioning and be
comparable against an audit report)

 I don't think the different ideas interfere destructively, though they
perhaps don't help each other, either.  I could be very wrong, though, will
have to be able to see the actual proposals.


On Thu, Nov 17, 2016 at 6:08 PM Martin Thomson <mt@mozilla.com> wrote:

> On Thu, Nov 17, 2016 at 8:39 PM, Mike West <mkwst@google.com> wrote:
> > Dmitry from the Chrome team has put together a packaging proposal at
> >
> https://discourse.wicg.io/t/proposal-packaging-for-the-web-signed-and-indexed/1827
> > that's relevant to this group's interests. Review would be ever so much
> > appreciated.
> The link to the proposal is broken in a way I was unable to recover,
> so I can't comment.
> I abandoned signing for a variety of reasons, so I'd caution that this
> isn't trivial to get right.
Received on Friday, 18 November 2016 02:29:05 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:58 UTC