[dane-pgp]

As a nice side effect of Google pushing Web Packaging, we get one step closer to having web apps that are signed with an offline key and served with a clear version number.

This would mean you could have at least a TOFU security model, where a web app that you trust can't be replaced (without you knowing) by an insecure version you haven't seen before.

Add some binary transparency [1] logging on top of that, and it might be possible to make browser-based JavaScript crypto almost as secure as the equivalent desktop app.

[1] https://wiki.mozilla.org/Security/Binary_Transparency

[zozbot123]

You could do this quite simply by requesting trusted apps to be identified by Named Information (ni:// or nih://) URIs (see https://tools.ietf.org/html/rfc6920 ) using a digest algorithm of sufficient strength. But the ability to "seamlessly" replace web apps is something that many websites would insist on, I think. Of course ni:// and nih:// can be applied to documents as well. They work on the IPFS model, where you enter some digest of the desired content as your URI (it's actually a URN, not a URL!) and then it's the user agent's job to fetch it from wherever, perhaps in a decentralized way.