W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2017

SRI and signatures

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Wed, 29 Nov 2017 02:23:26 -0800
Message-ID: <CAPfop_12Be_rWUUhUCU8+5+BrhtgdVwpq4KceJJng+idWD0Wbg@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi everyone!

I wanted to take a moment to summarize the current state and next steps of
signature support in SRI and open it all up for discussion. This is a
follow up to the TPAC discussion.

The idea is more fully detailed in Mike's excellent write up
<https://github.com/mikewest/signature-based-sri> but the essential idea is
to allow a page to say "check that the resource being loaded is signed by
$public-key" and the response to the resource request contains a header
that contains the signature on the resource. Current proposal only uses
Ed25519.

Currently, there is an implementation in Chrome behind a flag (although,
Chrome team is looking into making this an origin trial
<https://github.com/GoogleChrome/OriginTrials>). Chrome's currently looking
for web applications instead of experimenting with this and seeing how
painful/hard it is. Are there implementors (both browsers and
CDNs/websites) interested in trying this out and giving feedback? The
current writeup also has a bunch of issues
<https://github.com/mikewest/signature-based-sri/issues> filed against it;
probably the most thriving discussion is on whether the signatures should
include the URI path
<https://github.com/mikewest/signature-based-sri/issues/5>.

A second aspect that at least me and Artur are particularly excited about
is being able to combine this with CSP. Being able to say "all code running
on this page must be signed by $key" is a pretty awesome primitive. The
writeup already has some ideas like whitelisting a public key in CSP
(similar to how you can whitelist hashes). Feedback on this idea (and other
ideas about this in the spec) would be great! Additionally, to make full
deployment a reality, inline script support would be pretty critical. It is
not clear how to handle inline scripts since SRI currently only talks about
remote loads. I would love feedback/thoughts on this! (Github Issue
<https://github.com/mikewest/signature-based-sri/issues/10>)

Happy to discuss more here or on the Github issue; with a slight preference
for latter to keep different threads more easily separate. I would really
love more input/feedback from the community!


cheers
Dev
Received on Wednesday, 29 November 2017 10:24:14 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 29 November 2017 10:24:15 UTC