[saurik]

1) It seems strange that this spec isn't an extension of the previous cache manifest mechanism, which was very similar and served a very similar purpose: it listed all of the URLs of your web app, so they could all be pre-downloaded... it just didn't include the hashes, and that could easily have been added.

2) That the hashes are the primary key and the path is the value makes no sense, as it means that files can only have exactly one path. I have often ended up with the same file mapped to two places in my website for various reasons, such as collisions in purpose over time (but the URL is a primary key) or degenerate objects. Now, yes: I can navigate avoiding that, but why do I have to? The only thing this seems to be buying is the idea that the same path can have more than one hash, and even if we really want that, it seems like it would make a million times more sense to just make the value be an array of hashes, as that will make this file a billion times more auditable: "what hashes can this path have?" should be more clear than "I did a search of the file to check and I realized we had a typo with the same path in two places". No one -- including the browser implementing this -- is trying to do the inverse operation (map a hash to a path).

3) That this signs only the content of the file and not the HTTP status or any of the headers seems like an inexcusable omission and is going to end up resulting in some kind of security flaw some day (which isn't an issue for subresource integrity, as those cases don't have headers the app might want and only comes into play for successful status). We even have another specification in play for how and what to sign (which includes the ability to lock in only a subset of the headers): Signed HTTP Messages. That should be consulted and re-used somehow.

4) Since they want to be able to allow the site to be hosted in more than one place anyway, they really should bite the bullet and make the identity of the site be a key, not a hostname, and the origin of a site should then become the public key. This would let the same site hosted by multiple places share the same local browser storage and just act like the exact same site, and it would also immediately fix all of the problems with "what if someone hacks into my server and just unenrolls me from the thing", as if they do that they wouldn't have the signing key (which you can keep very very offline) and, when a user hits reload, the new site they see would be considered unrelated to the one they were previously on. You also get provenance for free, and no longer have to worry about how to deal with unenrollment: the site just stops serving a manifest and it is immediately back to being the normal boring website, and can't access any of the content the user gave to the trusted key origin.

[doomrobo]

1. I didn't know about this [1] actually! It looks like it's been unsupported for a few years now. The format looks pretty barebones, and we'd still need hashes like you said, as well as "wildcard" entries. I reckon the JSON solution might still be the better choice, but this is good to have as a reference.

2. I agree, and this is something we have gone back and forth on. The nice thing about hashes as primary keys is you can easily represent a single path having many possible values, and you can represent "occurs anywhere" hashes by giving them the empty string. But the downside like you mention is that a hash cannot occur at multiple paths, which is far from ideal. I'll make an issue in the Github about this, because I don't think it's near settled.

3. I had read the spec [2] but never made this connection! You're right that it's not hard to imagine malleability sneaking in via headers and status codes. I'll make an issue for this.

4. I wanted to veer a bit from requiring sites to hold yet more cryptographic material than they already do. Yes you can keep signing keys "very very offline", but this requires a level of practice that I'm not sure most people would achieve. Also you run into key rotation annoyances as well. The current route to something like you describe is have every site have their own transparency log entry (though they can share manifests and even asset hosts), and use code signing to link their instance to the source of truth.

[1] https://en.wikipedia.org/wiki/Cache_manifest_in_HTML5

[2] https://www.rfc-editor.org/rfc/rfc9421.html

[saurik]

<3 FWIW, I know Hacker News discussions often go stale after a bit and later responses might never be seen, and I don't really have time until later tonight to work on this (I used up my minutes earlier frantically reading this article to leave that other comment), so I thought I'd leave a quick comment here saying that I will be doing some further explanation in a comment here later tonight into what I thought is so interesting with cache manifests and some further thoughts viz-a-viz shared origins. (And, if you also happen to think any of my commentary is somewhat useful, I'd love to have a call or something with you at some point to talk about some of your vision for this work: I have a number of use cases for this kind of verification, and I think I was one of the more serious users of cache manifests back a decade ago.)

[doomrobo]

Emailed :)

[saurik]

So, the other standard that relates to this is Signed HTTP Exchanges (which, I only, just now, learned that Cloudflare I guess decided to, also just now, withdraw support of, lol), and I think when you fit all of these together, and look at the existing practice from both Android and Web3, a really amazing possible vision starts to form.

AFAIK, the goal there was the idea that you should be able to implement stuff like a caching peer-to-peer proxy network in a secure manner, as you'd be able to prove that a response came from the official server... and, since that could have a Date header and associated cache control information, that it was even "up to date"/valid content.

The way this works is that the signed exchange is considered part of the origin that signed the exchange, rather than the origin from which you received it; this totally changes the game for distributing censorship resistant applications... except that I believe it all ends up tied back to the TLS ecosystem, to establish the correct key.

Essentially, what I've seen a lot of people want to do -- primarily very much in the decentralized crypto / Web3 ecosystem -- is to be able to have an application where the "server" is a blockchain (accessed via a commodity server that just tracks access to blockchain state), identity is handled by keys, and all data is in local storage...

...but the problem is: where do you get this app from? It ends up having to be on a random web host, and, even with separate wallets managed by browser extensions or even full hardware, you end up in a terrifying place if the server can keep modifying the app you are using as you are using it. This is like, your core use case for this! ;P

Only, these people are trying to simultaneously solve this: they don't want the site to be tied to the existing website infrastructure at all. If I disappear, you should be able to continue to use the website forever, as long as someone has a backup copy of it and they are willing to host it, which is similar to the signed exchanges case.

The closest we have for this currently is to host the app on IPFS, but: 1) the browser doesn't have a supported way to verify anything that comes from IPFS, so we are reliant on the security of some random proxy server (which we could run local, but it is super expensive); and 2) the only way to get updates re-exposes the original issue.

To me then, "table stakes" for any attempt to solve this problem has to cover this use case, as this is where I see the vast majority of people, today, actively trying to pull this off. In fact, with the exception of WhatsApp, the only people I've ever even heard of with a need for this right now are these people who are going all the way.

One way to approach this would be to try to stare at IPFS and figure out how to make it better, but I totally appreciate that that might be a lost cause: IPFS is extremely inefficient and intricate... what I feel we need is for a standard to be put forward that allowed for stuff on top of IPFS--or all competing mechanisms--to be compliant.

Like, the thing I actually want to be able to do is to host a website "out there somewhere", maybe on a bunch of mirror sites, maybe on IPFS, maybe in .zip files that people distribute on USB keys... just, somewhere/somehow, and then when they use that website it is considered just as secure as any other way that they might get the app.

This is how it works with Android apps, for example: no matter how I found the app, or an upgrade to the app (even if that upgrade came from a different path than how I got to the app originally), the app gets access to its private/secure storage on a user's device because of its identity, not because of the path by which I'd found the app.

And this is where the whole problem just starts sounding like the same thing that we were doing with app cache manifests: the ostensible reason those existed is that one would like to be able to download a full copy of a web application so you aren't using it on a train and suddenly realize you are missing some key file for it to operate.

What that means, though, is that the app cache manifest essentially becomes a bill of materials for an entire web app: with a link to just the app cache manifest, what you are able to do is download and "install" the app. (iOS then used this heavily for their personal web app install to homescreen flow, so you really downloaded the app.)

The mechanism also had a kind of atomicity to it, wherein it would download the entire new application and only switch to the new app as a single unified unit: either it had an updated copy of all of the files in the new manifest, or it is going to keep using the old app; once ready, a script event fired and you could notify the user to reload.

So like, in my mind, there is this amazing intersection ready to be found, wherein the goals of the app cache manifest and Signed HTTP Exchanges -- but with a root of trust that is more like an Android app than the TLS authorities -- are combined together to let the ecosystem trying to build decentralized peer-to-peer e2ee web applications.

And like, viewed from that perspective, the "more cryptographic material" that people need for their app is just the same thing as the signing key they'd use for an Android app, a concept that people built workflows around and I don't think is such a big lift: somehow, Android was fine, despite this being how it worked for a dozen+ years.

That said, I think that this still has a lot of value even if it is tied back down to the centralized hostname ecosystem, but what I like about HTTP Message Signatures (not Signed HTTP Exchanges) is that I think they have a trust root that is more like DANE, using a DNS entry to anchor the public key rather than tying it to a TLS certificate.

Regardless, in my perfect world, what I want is for all of these copies of the app that might exist in the world -- whether signed by the same key or tied back through Signed HTTP Exchanges to an underlying host (which, maybe some day, can be on a fully decentralized registrar) and a key furnished by DNS -- to share the same web origin.

And like, the reason I keep coming back to this, is because most of the people I have seen in the wild trying to solve this problem barely have a server at all and want to be able to write an application that entirely uses local storage and distributed hash tables or blockchains or even manual message passing to connect up, peer-to-peer.

But so, yeah: I've now spent a bunch more time typing a giant manifesto for a thing that you are already working on and I get that that is an awkward thing if the vision doesn't align at all (or maybe you are actively trying not to solve the use case of the people I keep pointing at)... but, if you do, I'd love to chat about this (a lot).