Content Integrity

[BigBlueHat]

I've been pondering content integrity in light of the "scattered" nature of Web resources. Even "single origin" pages often use CDNs (sometimes several). The WebApp Security WG is working on the Subresource Integrity spec (aka SRI) which handles this scenario for <script> and <style>...but that's it.

From the Subresource Integrity spec's intro:
"[Current] mechanisms, however, authenticate only the server, not the content."

As we a imagine a more document-centric, distributed (via Packaged Web Publication), and offline-able world for the Web, we will need similar integrity mechanisms that are content focused (as well as the current script and style options).

Filling this need could be done by utilizing what's being explored in the SRI spec or through some other similar content-hashing or signing system.

This will be simplest when applied within a Package Web Publication, but it is more desperately needed within a Web Publication--where parts are (currently) expected to be "scattered" across the Web.

[BigBlueHat]

Interesting work from the IETF and Mozilla:

• Merkle Integrity Content Encoding - hashes and merkle trees for tracking integrity and (to some extent) change over time--similar(ish) to @datproject's approach
• An Architecture for Secure Content Delegation using HTTP - focused on Content Delivery Network delivery delegation (i.e. request from publisher.example; delivered by cdn.example)

[BigBlueHat]

One of today's finds around content integrity is the Instance Digests in HTTP spec which creates a Digest, Want-Digest, and proposes some tweaks to ye olde Content-MD5 header of yore.

The usage sounds very similar to Etag and If-None-Match patterns in HTTP, but with the addition of a verifiable hash algorithm (and not just a string identifier) which can be used on the response by the recipient.

This (or something like it) coupled with features described in this 2014 edition of the Sub-Resource Integrity spec provide a conceptual (at least) basis for building out a verifiable content exchange. Maybe. 😃

[BigBlueHat]

@iherman I only just realized you've labeled this as "security" related. I don't think this topic is solely security related, though--and the label likely means most folks will ignore it (sadly).

Content integrity is as much about knowing that I have what I asked for as it is about knowing no one else changed my request (or the response) along the way.

Content integrity mechanisms may also be the vector on which we can build updating, stability, and even offline-ing capabilities.

Would you mind either adding more labels (if we have them)?

[iherman]

@BigBlueHat : adding new labels is no problem. I have added offline access, because you mentioned it, but could you check the list of labels to see which other topic it would fit? Or what labels are missing?

[iherman]

added to https://github.com/w3c/wpub/wiki/Beyond-Scope