subject:"\[whatwg\] Signature Link Relation for Cryptographic Resource Verification"

Re: [whatwg] Signature Link Relation for Cryptographic Resource Verification

2015-12-10 Thread Anne van Kesteren

On Wed, Dec 9, 2015 at 10:05 AM, Sean B. Palmer  wrote:
> I expect that I will be continuing this discussion largely with the
> WebAppSpec team, as their work is so obviously related to the contents
> of the Internet-Draft.

Thank you, that does indeed seem like the right place. And then from
there it can be merged into the HTML Standard down the road.

-- 
https://annevankesteren.nl/

Re: [whatwg] Signature Link Relation for Cryptographic Resource Verification

2015-12-09 Thread Sean B. Palmer

Signature and hashes have different use cases. A signature guarantees
that a person or organisation endorses a resource, as well as
guaranteeing the integrity. A hash only guarantees the integrity. A
signature should be given if a user is downloading software that must
be proven to come from a trusted source, e.g. a privacy suite or bank
assistant.

Subresource Integrity could perhaps be extended to the signature use
case. I will write to the group. Thanks for the pointer!

On Wed, Dec 9, 2015 at 4:39 AM, Michael[tm] Smith  wrote:
> "Sean B. Palmer" , 2015-12-08 15:44 +:
>>
>> https://www.ietf.org/id/draft-palmer-signature-link-relation-00.txt
>
> Seems like the underlying use case is something Subresource Integrity is
> already intended to potentially be used to address.
>
>   https://w3c.github.io/webappsec-subresource-integrity/
>   https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
>
> --
> Michael[tm] Smith https://people.w3.org/mike

-- 
Sean B. Palmer, http://inamidst.com/sbp/

Re: [whatwg] Signature Link Relation for Cryptographic Resource Verification

2015-12-09 Thread Sean B. Palmer

For anybody who wishes to follow the progress made so far elsewhere on
the web about this suggestion, this message contains some pointers to
further discussion.

On public-html, Martin Jenecke pointed out some potential drawbacks
with naming the attribute "rels", and suggested just using a
"signature" attribute instead:

https://lists.w3.org/Archives/Public/public-html/2015Dec/0022.html

Meanwhile after Michael Smith wrote to tell me of the Subresource
Integrity work by the WebAppSpec people, I contributed a more
extensive write up of the use case scenario and problem here on GitHub
where they have their issue tracker:

https://github.com/w3c/webappsec/issues/449#issuecomment-163279813

I understand that the WHATWG list is more interested in listening to
the problems before solutions are mooted, and as such my GitHub
writeup goes into more background detail on that front than was
included in the Internet-Draft. I should note that an Internet-Draft
is not a specification, ('It is inappropriate to use Internet-Drafts
as reference material or to cite them other than as "work in
progress."'), and any suggested solutions are strawman placeholders,
and can be changed subject to feedback.

I expect that I will be continuing this discussion largely with the
WebAppSpec team, as their work is so obviously related to the contents
of the Internet-Draft.

On Tue, Dec 8, 2015 at 3:44 PM, Sean B. Palmer  wrote:
> https://www.ietf.org/id/draft-palmer-signature-link-relation-00.txt
>
> --
> Sean B. Palmer

-- 
Sean B. Palmer, http://inamidst.com/sbp/

Re: [whatwg] Signature Link Relation for Cryptographic Resource Verification

2015-12-08 Thread Delfi Ramirez

 

+1 
---

Delfi Ramirez

My digital signature [1]

+34 633 589231
 del...@segonquart.net [2] 

twitter: delfinramirez

 IRC: segonquart Skype: segonquart [3]

http://segonquart.net

http://delfiramirez.info
 [4]

On 2015-12-08 16:44, Sean B. Palmer wrote: 

> https://www.ietf.org/id/draft-palmer-signature-link-relation-00.txt
> 
> -- 
> Sean B. Palmer
 

Links:
--
[1] http://delfiramirez.info/public/dr_public_key.asc
[2] mail:%20del...@segonquart.net
[3] skype:segonquart
[4] http://delfiramirez.info

[whatwg] Signature Link Relation for Cryptographic Resource Verification

2015-12-08 Thread Sean B. Palmer

https://www.ietf.org/id/draft-palmer-signature-link-relation-00.txt

-- 
Sean B. Palmer

Re: [whatwg] Signature Link Relation for Cryptographic Resource Verification

2015-12-08 Thread Michael[tm] Smith

"Sean B. Palmer" , 2015-12-08 15:44 +:
> 
> https://www.ietf.org/id/draft-palmer-signature-link-relation-00.txt

Seems like the underlying use case is something Subresource Integrity is
already intended to potentially be used to address.

  https://w3c.github.io/webappsec-subresource-integrity/
  https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

-- 
Michael[tm] Smith https://people.w3.org/mike

Re: [whatwg] Signature Link Relation for Cryptographic Resource Verification

Re: [whatwg] Signature Link Relation for Cryptographic Resource Verification

Re: [whatwg] Signature Link Relation for Cryptographic Resource Verification

Re: [whatwg] Signature Link Relation for Cryptographic Resource Verification

[whatwg] Signature Link Relation for Cryptographic Resource Verification

Re: [whatwg] Signature Link Relation for Cryptographic Resource Verification

6 matches

Site Navigation

Mail list logo

Footer information