From da2034b6cdfaf94c0b8a2f3e0c98b942852ae1f3 Mon Sep 17 00:00:00 2001 From: Reilly Grant Date: Mon, 18 Apr 2022 10:45:23 -0700 Subject: [PATCH] Clarify the first paragraph of the proposed solution State explicitly why this is more secure. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2a1cd56..69fb2ca 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ This proposal should _not_ be considered a desirable model for most web-based ap ## Proposed Solution -The first component of this proposed solution is to decouple the integrity of the site resources from the integrity of the host serving them. Web Bundles (combined with [Signed HTTP Exchanges](https://wicg.github.io/webpackage/draft-yasskin-http-origin-signed-responses.html)) propose a way of packaging HTTP responses in a way that allows an untrusted third party to distribute them on behalf of the original server. Isolated Web Apps take this in a different direction by creating an entirely new origin for content served from these bundles. +The core of this proposal is making application updates explicit. Unlike TLS keys, which have to be available online to establish new connections, the key used to sign the Web Bundle can be kept securely offline and is used infrequently. The channel through which updates are distributed creates another point where the new resources can be checked for potentially malicious content. This is different from bundling [Signed HTTP Exchanges](https://wicg.github.io/webpackage/draft-yasskin-http-origin-signed-responses.html) because we don’t intend to create a verifiable mirror of a subset of a site’s resources, but a holistically verifiable version of an entire application. For this reason Isolated Web Apps should use a new origin for content served from these bundles. The reason for this is both practical and philosophical. If the identity of the site were still based on a DNS name, then it would still be vulnerable to a temporary loss of control over that domain or the infrastructure used to validate ownership of the domain. Philosophically, we also want to avoid building an alternative to certificate authorities which shares the same namespace. Isolated Web Apps therefore use a new scheme (tentatively, `isolated-app://`) where the authority section of the URL is a hash of the public key used to sign the Web Bundle containing the application resources.