Re: [whatwg] Signature Link Relation for Cryptographic Resource Verification

[Sean B. Palmer]

Signature and hashes have different use cases. A signature guarantees
that a person or organisation endorses a resource, as well as
guaranteeing the integrity. A hash only guarantees the integrity. A
signature should be given if a user is downloading software that must
be proven to come from a trusted source, e.g. a privacy suite or bank
assistant.

Subresource Integrity could perhaps be extended to the signature use
case. I will write to the group. Thanks for the pointer!

On Wed, Dec 9, 2015 at 4:39 AM, Michael[tm] Smith  wrote:
> "Sean B. Palmer" , 2015-12-08 15:44 +:
>>
>> https://www.ietf.org/id/draft-palmer-signature-link-relation-00.txt
>
> Seems like the underlying use case is something Subresource Integrity is
> already intended to potentially be used to address.
>
>   https://w3c.github.io/webappsec-subresource-integrity/
>   https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
>
> --
> Michael[tm] Smith https://people.w3.org/mike



-- 
Sean B. Palmer, http://inamidst.com/sbp/

Re: [whatwg] Signature Link Relation for Cryptographic Resource Verification

[Sean B. Palmer]

For anybody who wishes to follow the progress made so far elsewhere on
the web about this suggestion, this message contains some pointers to
further discussion.

On public-html, Martin Jenecke pointed out some potential drawbacks
with naming the attribute "rels", and suggested just using a
"signature" attribute instead:

https://lists.w3.org/Archives/Public/public-html/2015Dec/0022.html

Meanwhile after Michael Smith wrote to tell me of the Subresource
Integrity work by the WebAppSpec people, I contributed a more
extensive write up of the use case scenario and problem here on GitHub
where they have their issue tracker:

https://github.com/w3c/webappsec/issues/449#issuecomment-163279813

I understand that the WHATWG list is more interested in listening to
the problems before solutions are mooted, and as such my GitHub
writeup goes into more background detail on that front than was
included in the Internet-Draft. I should note that an Internet-Draft
is not a specification, ('It is inappropriate to use Internet-Drafts
as reference material or to cite them other than as "work in
progress."'), and any suggested solutions are strawman placeholders,
and can be changed subject to feedback.

I expect that I will be continuing this discussion largely with the
WebAppSpec team, as their work is so obviously related to the contents
of the Internet-Draft.

On Tue, Dec 8, 2015 at 3:44 PM, Sean B. Palmer  wrote:
> https://www.ietf.org/id/draft-palmer-signature-link-relation-00.txt
>
> --
> Sean B. Palmer



-- 
Sean B. Palmer, http://inamidst.com/sbp/