> > To be more concrete: At the WebAppSec / WebCrypto meeting in November, it > was mentioned (by Brad Hill IIRC) that one of the things that WebAppSec > might be looking into after CSP would be link-based assertions. The example > I remember is to attach a digest of the destination resource to a link, so > that, e.g., if a third-party script were compromised, it could be > recognized. Seems slightly different, but still related. >
Ah, I see where you were going now. I mentioned this on the s-links FAQ-including content hashes in links has indeed been proposed many times. This solves a completely different problem-including content from an untrusted mirror, compared to of securely getting TLS security info for a new domain that you'll have some future interaction with. I left it out of s-links (though it could certainly be added as an additional directives) because I think it is such a different problem. In any case, might not hurt to ping the WebAppSec list as well as this one. > Will do. My thinking is though, there are lots of web security details to get right here (and hopefully the trickiest ones came out of the Chromium mailing list) but I'd like to get higher-level feedback from people interested in bigger-picture TLS issues about whether or not s-links are a desirable building block before diving into that level of detail. Cheers, Joe
_______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
