Signature and hashes have different use cases. A signature guarantees that a person or organisation endorses a resource, as well as guaranteeing the integrity. A hash only guarantees the integrity. A signature should be given if a user is downloading software that must be proven to come from a trusted source, e.g. a privacy suite or bank assistant.
Subresource Integrity could perhaps be extended to the signature use case. I will write to the group. Thanks for the pointer! On Wed, Dec 9, 2015 at 4:39 AM, Michael[tm] Smith <m...@w3.org> wrote: > "Sean B. Palmer" <s...@miscoranda.com>, 2015-12-08 15:44 +0000: >> >> https://www.ietf.org/id/draft-palmer-signature-link-relation-00.txt > > Seems like the underlying use case is something Subresource Integrity is > already intended to potentially be used to address. > > https://w3c.github.io/webappsec-subresource-integrity/ > https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity > > -- > Michael[tm] Smith https://people.w3.org/mike -- Sean B. Palmer, http://inamidst.com/sbp/