[HTTPS-Everywhere] Draft specification for file used to check for ruleset updates
Yan Zhu
yan at eff.org
Tue Jun 10 13:57:19 PDT 2014
On 06/10/2014 01:40 PM, Jacob Hoffman-Andrews wrote:
> How about just sticking to the format we have now for update.json and
> going with the decision to serve multiple versions from different URLs
> depending on the release type?
>
>
> This sounds good to me. Yan, sound good to you?
Sounds good, though I think we still need to deal with Jacob's point
that JSON-to-string conversion is non-deterministic!
Originally I had proposed something like verifying the signature over
the string produced by
JSON.stringify(JSON.parse(req.responseText).update) but apparently
JSON.stringify won't reliably preserve ordering of the object properties?
So perhaps GPG-clearsigning the update file, verifying the signature,
and then parsing the JSON in the update file is the simplest thing. I'm
not sure extensions support GPG signature formats; will leave it up to
Zack to figure out the details there and add them to the spec.
>
>
> _______________________________________________
> HTTPS-Everywhere mailing list
> HTTPS-Everywhere at lists.eff.org
> https://lists.eff.org/mailman/listinfo/https-everywhere
>
--
Yan Zhu <yan at eff.org>, <yan at torproject.org>
Staff Technologist
Electronic Frontier Foundation https://www.eff.org
815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x134
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <https://lists.eff.org/pipermail/https-everywhere/attachments/20140610/3121d07a/attachment-0001.sig>
More information about the HTTPS-Everywhere
mailing list