Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Who Is Strongest? #3

Closed
otherdaniel opened this issue Aug 22, 2017 · 3 comments
Closed

Who Is Strongest? #3

otherdaniel opened this issue Aug 22, 2017 · 3 comments

Comments

@otherdaniel
Copy link

Subresource Integrity specifies to get the strongest metadata from the set of supplied SRI constraints, but unfortunately forgot to mention what strongest means in this context. This would be reasonably intuitive for 3 hash functions from the same family (shaXXX-*), but would already break down for hash functions from a different family, or for something entirely different, like a digital signature scheme.

For practical purposes, it's likely best to define strongest as loosely being newest, since that would allow a deployment scenario where you can add try out the latest scheme by adding it to the main resource, without having to worry about which clients support it.

@otherdaniel
Copy link
Author

Alternatively, one could give up the notion of "strongest" in favour of the order (or another explicit criteria), to let the page author express their intent.

@devd
Copy link

devd commented Nov 29, 2017

hmm .. is this a bug in SRI or in the signatures + SRI part?

If you are only talking about hashes and strongest, SRIv1 IIRC intentionally doesn't go into who is strongest. The idea is that the browser can and should pick. Relative strengths of hash functions change over time as attacks are found and new hash functions discovered. The UA should pick (or the web app author can use only the ones they want).

Or is there something specific about the Signatures bit you are asking about? Its not clear (to me) in the current writeup if a server can respond with multiple signatures (See #8 ). Assuming multiple signatures are allowed, then I think we can still leave it to the UA to use the strongest signature it can find or fail (or do something else)

@mikewest
Copy link
Member

mikewest commented Oct 9, 2024

Closing this in favor of w3c/webappsec-subresource-integrity#126, as it's more about SRI than signatures specifically.

@mikewest mikewest closed this as not planned Won't fix, can't repro, duplicate, stale Oct 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants