[HTTPS-Everywhere] Draft specification for file used to check for ruleset updates
Jacob Hoffman-Andrews
jsha at newview.org
Tue Jun 10 13:59:22 PDT 2014
The specific format is not a requirement, just that it be external to the
JSON. Something friendlier to extensions would be fine too.
On Jun 10, 2014 1:57 PM, "Yan Zhu" <yan at eff.org> wrote:
> On 06/10/2014 01:40 PM, Jacob Hoffman-Andrews wrote:
> > How about just sticking to the format we have now for update.json and
> > going with the decision to serve multiple versions from different
> URLs
> > depending on the release type?
> >
> >
> > This sounds good to me. Yan, sound good to you?
>
> Sounds good, though I think we still need to deal with Jacob's point
> that JSON-to-string conversion is non-deterministic!
>
> Originally I had proposed something like verifying the signature over
> the string produced by
> JSON.stringify(JSON.parse(req.responseText).update) but apparently
> JSON.stringify won't reliably preserve ordering of the object properties?
>
> So perhaps GPG-clearsigning the update file, verifying the signature,
> and then parsing the JSON in the update file is the simplest thing. I'm
> not sure extensions support GPG signature formats; will leave it up to
> Zack to figure out the details there and add them to the spec.
>
>
> >
> >
> > _______________________________________________
> > HTTPS-Everywhere mailing list
> > HTTPS-Everywhere at lists.eff.org
> > https://lists.eff.org/mailman/listinfo/https-everywhere
> >
>
>
> --
> Yan Zhu <yan at eff.org>, <yan at torproject.org>
> Staff Technologist
> Electronic Frontier Foundation https://www.eff.org
> 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x134
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.eff.org/pipermail/https-everywhere/attachments/20140610/15021be2/attachment.html>
More information about the HTTPS-Everywhere
mailing list