- From: =JeffH via GitHub <sysbot+gh@w3.org>
- Date: Wed, 27 Jan 2021 20:38:09 +0000
- To: public-webauthn@w3.org
on 2021-01-27 call: @agl notes that this approach does not give NIST what they want because a JS origin is a colleciton of resources loaded from mult RPs as well as the local cache --- i.e., this will not deliver what they desire. i.e., such an "hsts flag" is not usefully meaningful. maybe what they are desiring is a "secure boot" for JS origins ? i.e., the "reality - hope collision" perhaps what they want is a sort of "taint bit" on the amalgamated JS+HTML+everythingElse origin, eg, take the sum of the sec properties of all the components of the browsing context. and if it is "1", then it is (possibly) "tainted". you use SRI when offloading resources to CDNs. in any case a RP wishing AAL3 probably ought to minimize the collection of entities contributing to the browsing context. how might CSP play in this? It is not clear. CSPs are included with resources, whereas webauthn is a property of the RP mapped to the document context. agl thinks the set of all TLS certs that have contributed resources to the browsing context might have meaning. maybe including something derived from the present in-force CSP _might_ have meaning.... -- GitHub Notification of comment by equalsJeffH Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1554#issuecomment-768561790 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 27 January 2021 20:38:11 UTC