[HTTPS-Everywhere] Draft specification for file used to check for ruleset updates
yan at eff.org
Tue Jun 10 13:57:19 PDT 2014
On 06/10/2014 01:40 PM, Jacob Hoffman-Andrews wrote:
> How about just sticking to the format we have now for update.json and
> going with the decision to serve multiple versions from different URLs
> depending on the release type?
> This sounds good to me. Yan, sound good to you?
Sounds good, though I think we still need to deal with Jacob's point
that JSON-to-string conversion is non-deterministic!
Originally I had proposed something like verifying the signature over
the string produced by
JSON.stringify(JSON.parse(req.responseText).update) but apparently
JSON.stringify won't reliably preserve ordering of the object properties?
So perhaps GPG-clearsigning the update file, verifying the signature,
and then parsing the JSON in the update file is the simplest thing. I'm
not sure extensions support GPG signature formats; will leave it up to
Zack to figure out the details there and add them to the spec.
> HTTPS-Everywhere mailing list
> HTTPS-Everywhere at lists.eff.org
Yan Zhu <yan at eff.org>, <yan at torproject.org>
Electronic Frontier Foundation https://www.eff.org
815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x134
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 455 bytes
Desc: OpenPGP digital signature
More information about the HTTPS-Everywhere