On 02/14/2013 03:39 AM, Joseph Bonneau wrote: >> >> To be more concrete: At the WebAppSec / WebCrypto meeting in November, it >> was mentioned (by Brad Hill IIRC) that one of the things that WebAppSec >> might be looking into after CSP would be link-based assertions. The example >> I remember is to attach a digest of the destination resource to a link, so >> that, e.g., if a third-party script were compromised, it could be >> recognized. Seems slightly different, but still related. >> > > Ah, I see where you were going now. I mentioned this on the s-links > FAQ-including content hashes in links has indeed been proposed many times. > This solves a completely different problem-including content from an > untrusted mirror, compared to of securely getting TLS security info for a > new domain that you'll have some future interaction with. I left it out of > s-links (though it could certainly be added as an additional directives) > because I think it is such a different problem.
I agree that's a totally different problem (I even know one bozo who wrote up an I-D for naming things with hashes:-) I'm not sure whether mixing naming and html-level TLS key pinning in the same mechanism would make sense though. S. > > In any case, might not hurt to ping the WebAppSec list as well as this one. >> > > Will do. My thinking is though, there are lots of web security details to > get right here (and hopefully the trickiest ones came out of the Chromium > mailing list) but I'd like to get higher-level feedback from people > interested in bigger-picture TLS issues about whether or not s-links are a > desirable building block before diving into that level of detail. > > Cheers, > > Joe > _______________________________________________ therightkey mailing list therightkey@ietf.org https://www.ietf.org/mailman/listinfo/therightkey