Re: Digitally-signed SRI ?

You might find this repo helpful:
https://github.com/mikewest/signature-based-sri

I recall reading something about this regarding
https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-message-signatures

My only other comment would be a plea to not invent yet another
signature and key representation and instead use JWS and JWK.

Regards,

OS


ᐧ

On Wed, Feb 2, 2022 at 12:42 PM Amir Herzberg <amir.herzberg@gmail.com>
wrote:

> Hi, I'm updating my web-security presentation for my net-sec class, and
> think of covering SRI. There's a question I'm curios about. The draft uses
> hash based authentication, but doesn't seem to offer an option for using
> signatures. I can see a performance concern for the use of signatures
> (validation, mostly), but in a common use case, signatures seem to be more
> applicable (allowing a cached web-page to use periodically modified
> resources from a not-fuly-trusted CDN, for example).  So I'm interested to
> learn if this was a decision by the WG, and, if it was, what were the
> considerations. A url to relevant email/thread would be helpful; I tried
> searching the archive but in vain.
>
> Many thanks! Amir
> p.s. I'm sending this to the public mailing list but I'm not subscribed,
> so please respond to my personal email, thanks.
> --
> Amir Herzberg
>
> Comcast professor of Security Innovations, Computer Science and
> Engineering, University of Connecticut
> Homepage: https://sites.google.com/site/amirherzberg/home
> `Applied Introduction to Cryptography' textbook and lectures:
>  https://sites.google.com/site/amirherzberg/applied-crypto-textbook
> <https://sites.google.com/site/amirherzberg/applied-crypto-textbook>
>
>
>
>

-- 
*ORIE STEELE*
Chief Technical Officer
www.transmute.industries

<https://www.transmute.industries>