[Project_owners] Secure Updates for Firefox 3
Douglas E. Warner
silfreed at silfreed.net
Tue Jul 17 09:00:49 PDT 2007
After discussion with Dave Townsend today it was determined that it won't be
necessary for Mozdev to provide SSL connections for the updates.rdf file or
the XPIs and the downloads will still be able to be secure. In order to do
this, it's required that the extension owner:
1) sign the updates.rdf with a public/private key
2) embed the updateHash key for each xpi file inside the updates.rdf file
Mozilla will be providing a tool to make signing the updates files easy, and
I'm assuming most extension developers use a tool to generate their
updates.rdf file currently as well - so this tool would need updated to add
updateHash (if it doesn't already).
We feel this constitutes a good workaround for not providing SSL-enabled
downloads. Let us know what your thoughts and concerns will be and we'll see
what we can do to address them.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://mozdev.org/pipermail/project_owners/attachments/20070717/dfcc5486/attachment.bin
More information about the Project_owners