Signature-based SRI and CDNs from Mark Nottingham on 2017-11-09 (public-webappsec@w3.org from November 2017)

From: Mark Nottingham <mnot@mnot.net>
Date: Thu, 9 Nov 2017 11:38:08 +1100
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Cc: Mike West <mkwst@google.com>
Message-Id: <AE7D5499-C1A4-4793-A167-49F03CDAD59D@mnot.net>

Hi!

Reading the minutes <https://www.w3.org/2017/11/07-webappsec-minutes.html#item04>, I see there was some question about what CDNs thought about signature-based SRI.

As a person familiar with CDNs, I think it's safe to say this is *very* interesting -- generally, anything that gives Web developers more confidence about serving bits over a CDN is a good thing for them.

I especially like the proposal to allow a signature to be communicated in a response header; that avoids the need to modify content.

A couple of random thoughts:

1) The case for associating a public key with third-party content is relatively straightforward. It's much more difficult to establish a key for an entire host (see: pinning problems), but it would be very valuable for the increasingly-common case of an entire origin being delegated to a CDN.

2) The hard part about signatures for HTTP messages has always been picking which headers to sign, and canonicalising them. Header rewriting by intermediaries is less of a concern with TLS, but you still have the CDN itself to contend with, as well as any user-side software that's being "helpful." Content-Type seems like a good start, and as pointed out, Date is probably a good contender (although interactions with caching would need to be carefully considered).

3) One of the motivators for the design of encrypted content encoding <http://httpwg.org/specs/rfc8188.html> was random access to the payload, as well as partial content responses. It'd be cool if the design here could accommodate that (although doing that might make it more verbose / involved than desired for this use case -- although if you're doing Date header signing, it's already getting pretty involved). E.g., see <https://www.ietf.org/archive/id/draft-thomson-http-mice-02.txt>.

From a HTTP WG standpoint -- we've been nosing around this space for a while, and I suspect there'd be interest and support for doing something in this area from folks there. If you want review / feedback, I'd be happy to circulate it.

Cheers,

--
Mark Nottingham https://www.mnot.net/

Received on Thursday, 9 November 2017 00:38:37 UTC