Hi all, looking over the W3C TAG packaging draft [1], I would like to see 
security through package signing as a use case for packaging.

A hypothetical scenario using Google/Yahoo's End to End email encryption 
project:
1. User goes to https://cryptomail.yahoo.com/app.pack for the first time. The 
HTTP response header includes a package signing key for that resource. This key 
is pinned, like in HPKP, for some max-age. (The key could also just be included 
as part of the package.)

2. The browser verifies the signature over app.pack (perhaps as a special 
signature part in the package body, as in PGP/MIME) using the pinned key for 
that resource.
3. The packaged app only runs if signature verification succeeds. Verification 
using the same pinned key is enforced for the max-age amount of time whenever 
the user loads the package in the future.

The context here is that some app authors would like to provide better code 
integrity guarantees via signing with an offline key. This can be achieved by 
writing a browser extension or certain types of installable apps, but those 
have various disadvantages (lack of cross-browser compatibility and dependency 
on a central "app store", for instance).


More considerations in the github issue I opened: 
https://github.com/w3ctag/packaging-on-the-web/issues/21


Thoughts?

-Yan



[1] https://w3ctag.github.io/packaging-on-the-web/

Reply via email to