Re: [whatwg] Signature Link Relation for Cryptographic Resource Verification
On Wed, Dec 9, 2015 at 10:05 AM, Sean B. Palmer wrote: > I expect that I will be continuing this discussion largely with the > WebAppSpec team, as their work is so obviously related to the contents > of the Internet-Draft. Thank you, that does indeed seem like the right place. And then from there it can be merged into the HTML Standard down the road. -- https://annevankesteren.nl/
Re: [whatwg] Signature Link Relation for Cryptographic Resource Verification
For anybody who wishes to follow the progress made so far elsewhere on the web about this suggestion, this message contains some pointers to further discussion. On public-html, Martin Jenecke pointed out some potential drawbacks with naming the attribute "rels", and suggested just using a "signature" attribute instead: https://lists.w3.org/Archives/Public/public-html/2015Dec/0022.html Meanwhile after Michael Smith wrote to tell me of the Subresource Integrity work by the WebAppSpec people, I contributed a more extensive write up of the use case scenario and problem here on GitHub where they have their issue tracker: https://github.com/w3c/webappsec/issues/449#issuecomment-163279813 I understand that the WHATWG list is more interested in listening to the problems before solutions are mooted, and as such my GitHub writeup goes into more background detail on that front than was included in the Internet-Draft. I should note that an Internet-Draft is not a specification, ('It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."'), and any suggested solutions are strawman placeholders, and can be changed subject to feedback. I expect that I will be continuing this discussion largely with the WebAppSpec team, as their work is so obviously related to the contents of the Internet-Draft. On Tue, Dec 8, 2015 at 3:44 PM, Sean B. Palmer wrote: > https://www.ietf.org/id/draft-palmer-signature-link-relation-00.txt > > -- > Sean B. Palmer -- Sean B. Palmer, http://inamidst.com/sbp/
Re: [whatwg] Signature Link Relation for Cryptographic Resource Verification
Signature and hashes have different use cases. A signature guarantees that a person or organisation endorses a resource, as well as guaranteeing the integrity. A hash only guarantees the integrity. A signature should be given if a user is downloading software that must be proven to come from a trusted source, e.g. a privacy suite or bank assistant. Subresource Integrity could perhaps be extended to the signature use case. I will write to the group. Thanks for the pointer! On Wed, Dec 9, 2015 at 4:39 AM, Michael[tm] Smith wrote: > "Sean B. Palmer" , 2015-12-08 15:44 +: >> >> https://www.ietf.org/id/draft-palmer-signature-link-relation-00.txt > > Seems like the underlying use case is something Subresource Integrity is > already intended to potentially be used to address. > > https://w3c.github.io/webappsec-subresource-integrity/ > https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity > > -- > Michael[tm] Smith https://people.w3.org/mike -- Sean B. Palmer, http://inamidst.com/sbp/
Re: [whatwg] Signature Link Relation for Cryptographic Resource Verification
"Sean B. Palmer" , 2015-12-08 15:44 +: > > https://www.ietf.org/id/draft-palmer-signature-link-relation-00.txt Seems like the underlying use case is something Subresource Integrity is already intended to potentially be used to address. https://w3c.github.io/webappsec-subresource-integrity/ https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity -- Michael[tm] Smith https://people.w3.org/mike
Re: [whatwg] Signature Link Relation for Cryptographic Resource Verification
+1 --- Delfi Ramirez My digital signature [1] +34 633 589231 del...@segonquart.net [2] twitter: delfinramirez IRC: segonquart Skype: segonquart [3] http://segonquart.net http://delfiramirez.info [4] On 2015-12-08 16:44, Sean B. Palmer wrote: > https://www.ietf.org/id/draft-palmer-signature-link-relation-00.txt > > -- > Sean B. Palmer Links: -- [1] http://delfiramirez.info/public/dr_public_key.asc [2] mail:%20del...@segonquart.net [3] skype:segonquart [4] http://delfiramirez.info
[whatwg] Signature Link Relation for Cryptographic Resource Verification
https://www.ietf.org/id/draft-palmer-signature-link-relation-00.txt -- Sean B. Palmer