Signature-based SRI is being spec'd right now: wicg.github.io/signature-ba... This will be useful for many use case and become relevant for PCIv4 compliance which requires assuring the integrity of sourced scripts (6.4.3). Please chime in and share your use cases: github.com/WICG/signatu... - ThreadSky

webappsec.dev • 101 days ago

Signature-based SRI is being spec'd right now:
https://wicg.github.io/signature-based-sri/

This will be useful for many use case and become relevant for PCIv4 compliance which requires assuring the integrity of sourced scripts (6.4.3).

Please chime in and share your use cases: https://github.com/WICG/signature-based-sri

Comments

javanrasokat.bsky.social•101 days ago

Looks like PCI is a real innovation enabler. I was astound when I saw the requirements of CSP, too. Now this.

webappsec.dev•101 days ago

yeah, although the risk is that there'll be funky vendor solutions until there's browser support for proper solutions (like we proxy all scripts through our service or do some funky scanning to check if any of your scripts have changed)

javanrasokat.bsky.social•100 days ago

Oh yes, I first became aware of CSP runtime monitoring through a vendor (guilty as charged).

benstock.bsky.social•101 days ago

On the plus side, one of the limitations of SRI was third parties adding random content (see https://swag.cispa.saarland/papers/steffens2021blockparty.pdf final table). However, SRI in its current form protects including sites from a full compromise, whereas this assumption is being relaxed if there are signatures involved.

mikewe.st•100 days ago

You're entirely right. The promises signatures can make are different in kind, but hopefully no less useful. https://wicg.github.io/signature-based-sri/#signatures-vs-hashes and https://wicg.github.io/signature-based-sri/#security-provenance-not-content get at the distinctions to some extent, and I'd welcome additions to those descriptions.

webappsec.dev•101 days ago

Indeed signatures have different security properties, but since trusting a signature is an opt-in feature, I'm not worried about this.

webappsec.dev•101 days ago

Also Signatures allows for nice advanced code provenance use cases like removing the CDN form the TCB by signing an OSS build in a github workflow and have the CDN pass on the pubkey.

webappsec.dev•101 days ago

also please join me in thanking @mikewe.st, @ddworken.bsky.social and @yoav.ws for pushing this forward!

webappsec.dev•101 days ago

cc: @scotthelme.bsky.social reporting is being worked on as well

Comments

Posting Rules

Reply