Well, I may be mistaken, or I may have mis-skimmed your proposal. To be more concrete: At the WebAppSec / WebCrypto meeting in November, it was mentioned (by Brad Hill IIRC) that one of the things that WebAppSec might be looking into after CSP would be link-based assertions. The example I remember is to attach a digest of the destination resource to a link, so that, e.g., if a third-party script were compromised, it could be recognized. Seems slightly different, but still related.
In any case, might not hurt to ping the WebAppSec list as well as this one. Cheers, --Richard On Wednesday, February 13, 2013, Joseph Bonneau wrote: > > I believe some ideas of this character have been discussed in the W3C >> WebAppSec WG. >> http://www.w3.org/2011/webappsec/ > > > Can you point to anything more specific? I discussed s-links via email > with Adam Barth who's a CSP editor and it didn't seem that this has been > extensively discussed by the WebAppSec WG... > > The only thing I can think of is discussion about enabling CSP to require > that the same cert is presented for all page resources, which I believe > didn't make the spec due to origin contamination problems. S-links, by the > way, has the same issue unless a persistent key pin (or other persistent > security upgrade) is immediately received, as discussed on the s-links > site-this is a very important subtlety. > > Cheers, > > Joe > >
_______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
