- From: Sean B. Palmer <sean@miscoranda.com>
- Date: Wed, 9 Dec 2015 08:50:59 +0000
- To: "Michael[tm] Smith" <mike@w3.org>
- Cc: whatwg@whatwg.org
Signature and hashes have different use cases. A signature guarantees that a person or organisation endorses a resource, as well as guaranteeing the integrity. A hash only guarantees the integrity. A signature should be given if a user is downloading software that must be proven to come from a trusted source, e.g. a privacy suite or bank assistant. Subresource Integrity could perhaps be extended to the signature use case. I will write to the group. Thanks for the pointer! On Wed, Dec 9, 2015 at 4:39 AM, Michael[tm] Smith <mike@w3.org> wrote: > "Sean B. Palmer" <sean@miscoranda.com>, 2015-12-08 15:44 +0000: >> >> https://www.ietf.org/id/draft-palmer-signature-link-relation-00.txt > > Seems like the underlying use case is something Subresource Integrity is > already intended to potentially be used to address. > > https://w3c.github.io/webappsec-subresource-integrity/ > https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity > > -- > Michael[tm] Smith https://people.w3.org/mike -- Sean B. Palmer, http://inamidst.com/sbp/
Received on Wednesday, 9 December 2015 08:51:33 UTC