[HTTPS-Everywhere] Draft specification for file used to check for ruleset updates

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed May 21 12:34:56 PDT 2014

On 05/20/2014 08:01 PM, Seth David Schoen wrote:
> having a mechanism to let users know if they got the same update (whether
> extension update or ruleset upset) that everyone else in the world got,
> or at least whether everyone was _offered_ the same set of updates.
> There are many ideas about this and I think it's quite an interesting
> problem for anyone publishing software to a large user base over the
> Internet.

This sounds very much like the idea of certificate transparency (CT),
but applied to source code or binaries.  Have you considered raising
this with the CT folks?  I'm also interested in seeing something like
this in other contexts (e.g. debian and other OS distributions) and if
we had a simple, generic way to ensure that everyone was getting the
same code as everyone else, that would be very nice.

I recognize that debian might have some slightly different challenges in
terms of logs than just an HTTPS-E ruleset update; but if you're
interested in exploring where those mechanisms might overlap, i'd be
happy to have that conversation with you.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: <https://lists.eff.org/pipermail/https-everywhere/attachments/20140521/7988caa9/attachment.sig>

More information about the HTTPS-Everywhere mailing list