Our great sponsors
-
-
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
-
I'll take this opportunity to point out that Ed25519 support is an open issue, but no one has stepped up to specify it yet.[0]
[0] https://github.com/httpwg/http-extensions/issues/1509
Well, there is the SecureBookmarks trick[0], which uses integrity hashes and Data URLs, so you're right that signatures aren't strictly needed (especially at the HTTP level). I think the difficult part is the UX, and how to handle the failure modes, which is why browsers might reasonably be reluctant to support something like this.
[0] https://github.com/coins/secure-bookmark
> Does there need to be a UI for viewing the key details, and for approving/rejecting upgrades to the web app?
Aren't releases of schema.org/SoftwareApplication
https://github.com/blockchain-certificates/cert-verifier-js#...
From (an obscure comment with pictures on) "Roadmap update for TUF support
" https://github.com/pypa/warehouse/issues/5247#issuecomment-9... :
> Only users with package release permissions can create a new SoftwareRelease record for that project
You can log hashes to sigstore now, which is a centralized db supported by The Linux Foundation.
> How sigstore works: sigstore is a set of tools developers, software maintainers, package managers and security experts can benefit from. Bringing together free-to-use open source technologies like Fulcio, Cosign and Rekor, it handles digital signing, verification and checks for provenance needed to make it safer to distribute and use open source software.
> A standardized approach: This means that open source software uploaded for distribution has a stricter, more standardized way of checking who’s been involved, that it hasn’t been tampered with. There’s no risk of key compromise, so third parties can’t hijack a release and slip in something malicious.
> Building for future integrations: With the help of a working partnership that includes Google, the Linux Foundation, Red Hat and Purdue University, we’re in constant collaboration to find new ways to improve the sigstore technology, to make it easy to adopt, integrate and become a long-lasting standard.
But then DIDs and ld-proofs (with at least the current trust root in a trustless DLT of some sort) are even more standardized.
Software Releases, [Academic,] Credentials, Server Certs, ScholarlyArticles: all of these things can be signed and may already be listed in the Use Cases documents for W3C DID Decentralized Identifiers [1] and W3C VC Verifiable Credentials [2] which are summarized in context to Keybase here: https://news.ycombinator.com/item?id=28814802
[1] https://www.w3.org/TR/did-use-cases/
[2] https://www.w3.org/TR/vc-use-cases/