[Project_owners] Secure Updates for Firefox 3

Douglas E. Warner silfreed at silfreed.net
Tue Jul 17 09:00:49 PDT 2007

After discussion with Dave Townsend today it was determined that it won't be 
necessary for Mozdev to provide SSL connections for the updates.rdf file or 
the XPIs and the downloads will still be able to be secure.  In order to do 
this, it's required that the extension owner:

1) sign the updates.rdf with a public/private key
2) embed the updateHash key for each xpi file inside the updates.rdf file

Mozilla will be providing a tool to make signing the updates files easy, and 
I'm assuming most extension developers use a tool to generate their 
updates.rdf file currently as well - so this tool would need updated to add 
updateHash (if it doesn't already).

We feel this constitutes a good workaround for not providing SSL-enabled 
downloads.  Let us know what your thoughts and concerns will be and we'll see 
what we can do to address them.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://mozdev.org/pipermail/project_owners/attachments/20070717/dfcc5486/attachment.bin 

More information about the Project_owners mailing list