Hi all, looking over the W3C TAG packaging draft [1], I would like to see security through package signing as a use case for packaging.
A hypothetical scenario using Google/Yahoo's End to End email encryption project: 1. User goes to https://cryptomail.yahoo.com/app.pack for the first time. The HTTP response header includes a package signing key for that resource. This key is pinned, like in HPKP, for some max-age. (The key could also just be included as part of the package.) 2. The browser verifies the signature over app.pack (perhaps as a special signature part in the package body, as in PGP/MIME) using the pinned key for that resource. 3. The packaged app only runs if signature verification succeeds. Verification using the same pinned key is enforced for the max-age amount of time whenever the user loads the package in the future. The context here is that some app authors would like to provide better code integrity guarantees via signing with an offline key. This can be achieved by writing a browser extension or certain types of installable apps, but those have various disadvantages (lack of cross-browser compatibility and dependency on a central "app store", for instance). More considerations in the github issue I opened: https://github.com/w3ctag/packaging-on-the-web/issues/21 Thoughts? -Yan [1] https://w3ctag.github.io/packaging-on-the-web/