W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2017

Re: Proposal: Signatures in SRI.

From: Martin Thomson <martin.thomson@gmail.com>
Date: Sat, 10 Jun 2017 15:47:55 +0100
Message-ID: <CABkgnnXYahjjS4MRtYMf_TZuywnJn1HDCKzqN8sog8sL-pNp_w@mail.gmail.com>
To: Jeffrey Yasskin <jyasskin@google.com>
Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Devdatta Akhawe <dev.akhawe@gmail.com>, freddyb@mozilla.com, Francois Marier <francois@mozilla.com>, Joel Weinberger <joel.weinberger@gmail.com>, Brad Hill <hillbrad@gmail.com>
On 10 June 2017 at 06:04, Jeffrey Yasskin <jyasskin@google.com> wrote:
> I'm certainly not a cryptography expert, but I read in
> https://tools.ietf.org/html/rfc8032#section-4, "Note that single-pass
> verification is not possible with most uses of signatures, no matter
> which signature algorithm is chosen.  This is because most of the
> time, one can't process the message until the signature is validated,
> which needs a pass on the entire message."

The draft I cited includes a method for signing partial messages.  The
trade-off is that it's trivially vulnerable to truncation attacks,
much in the same way that HTTP responses over TLS can be cut off.

So both things are true.  Generally, you want a signature over a thing
to be completely verified before you use it in *any* way, so what RFC
8032 says is entirely appropriate.
Received on Saturday, 10 June 2017 14:48:30 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:23 UTC