[HTTPS-Everywhere] Draft specification for file used to check for ruleset updates

Yan Zhu yan at eff.org
Tue Jun 10 13:57:19 PDT 2014

On 06/10/2014 01:40 PM, Jacob Hoffman-Andrews wrote:
>     How about just sticking to the format we have now for update.json and
>     going with the decision to serve multiple versions from different URLs
>     depending on the release type?
> This sounds good to me. Yan, sound good to you?

Sounds good, though I think we still need to deal with Jacob's point
that JSON-to-string conversion is non-deterministic!

Originally I had proposed something like verifying the signature over
the string produced by
JSON.stringify(JSON.parse(req.responseText).update) but apparently
JSON.stringify won't reliably preserve ordering of the object properties?

So perhaps GPG-clearsigning the update file, verifying the signature,
and then parsing the JSON in the update file is the simplest thing. I'm
not sure extensions support GPG signature formats; will leave it up to
Zack to figure out the details there and add them to the spec.

> _______________________________________________
> HTTPS-Everywhere mailing list
> HTTPS-Everywhere at lists.eff.org
> https://lists.eff.org/mailman/listinfo/https-everywhere

Yan Zhu  <yan at eff.org>, <yan at torproject.org>
Staff Technologist
Electronic Frontier Foundation                  https://www.eff.org
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x134

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <https://lists.eff.org/pipermail/https-everywhere/attachments/20140610/3121d07a/attachment-0001.sig>

More information about the HTTPS-Everywhere mailing list