[w3c/webpayments-method-identifiers] SRI on manifest (#18) from Adrian Hope-Bailie on 2016-11-17 (public-webpayments-specs@w3.org from November 2016)

From: Adrian Hope-Bailie <notifications@github.com>
Date: Thu, 17 Nov 2016 00:37:13 -0800
To: w3c/webpayments-method-identifiers <webpayments-method-identifiers@noreply.github.com>
Message-ID: <w3c/webpayments-method-identifiers/issues/18@github.com>

Is it possible (and desriable) to have a way to perform resource integrity checks on the manifest?

Can an SRI hash be put directly into the URL somehow (as a query parameter that IS allowed maybe)?

Related to #17 we might want to use `ni:` URIs that translate to an HTTPS resource.

See https://tools.ietf.org/html/draft-farrell-decade-ni-10#section-4  and the examples later showing how

`ni://example.com/sha-256;f4OxZX_x_FO5LcGBSKHWXfwtSx-j1ncoSt3SABJtkGk`

maps to

`http://example.com/.well-known/ni/sha-256/f4OxZX_x_FO5LcGBSKHWXfwtSx-j1ncoSt3SABJtkGk`

which could be a redirect to:

`http://example.com/payments.manifest`

and would allow the browser to validate that the content of the file matches the PMI.

i.e. The SHA256 hash of the content of `http://example.com/payments.manifest` MUST equal 'f4OxZX_x_FO5LcGBSKHWXfwtSx-j1ncoSt3SABJtkGk'

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webpayments-method-identifiers/issues/18

Received on Thursday, 17 November 2016 08:38:11 UTC