[HTTPS-Everywhere] Draft specification for file used to check for ruleset updates

Jacob Hoffman-Andrews jsha at newview.org
Tue Jun 10 12:50:24 PDT 2014

> Taking the signature into account, the schema that makes the most sense
> to me is:
> { "update": { "stable": {...}, "development": {...} }
>   "signature": ... }
> where "signature" is over the stringified value of "update".

I wound up needing to address this same problem for the STARTTLS config
distribution spec (
Unfortunately there is no spec for canonicalizing JSON. We could implement
one ourselves but it's likely to get really challenging really fast. More
generally, any attempt to specify a signature internal to the format that
is being signed is a little weird.

What I wound up doing instead was just specifying signatures external to
the file format, e.g. wrap the whole JSON in `gpg --clearsign' or something
similar. I'd suggest the same thing here.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.eff.org/pipermail/https-everywhere/attachments/20140610/fb020832/attachment.html>

More information about the HTTPS-Everywhere mailing list