W3C home > Mailing lists > Public > whatwg@whatwg.org > December 2015

Re: [whatwg] Signature Link Relation for Cryptographic Resource Verification

From: Sean B. Palmer <sean@miscoranda.com>
Date: Wed, 9 Dec 2015 08:50:59 +0000
Message-ID: <CAH3-oEdP9u08Jb73_yxpp1u-0uabpCOM-Xu=N6XErwhU42aVwA@mail.gmail.com>
To: "Michael[tm] Smith" <mike@w3.org>
Cc: whatwg@whatwg.org
Signature and hashes have different use cases. A signature guarantees
that a person or organisation endorses a resource, as well as
guaranteeing the integrity. A hash only guarantees the integrity. A
signature should be given if a user is downloading software that must
be proven to come from a trusted source, e.g. a privacy suite or bank
assistant.

Subresource Integrity could perhaps be extended to the signature use
case. I will write to the group. Thanks for the pointer!

On Wed, Dec 9, 2015 at 4:39 AM, Michael[tm] Smith <mike@w3.org> wrote:
> "Sean B. Palmer" <sean@miscoranda.com>, 2015-12-08 15:44 +0000:
>>
>> https://www.ietf.org/id/draft-palmer-signature-link-relation-00.txt
>
> Seems like the underlying use case is something Subresource Integrity is
> already intended to potentially be used to address.
>
>   https://w3c.github.io/webappsec-subresource-integrity/
>   https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
>
> --
> Michael[tm] Smith https://people.w3.org/mike



-- 
Sean B. Palmer, http://inamidst.com/sbp/
Received on Wednesday, 9 December 2015 08:51:33 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:36 UTC