[Project_owners] Secure Updates for Firefox 3
Michael Vincent van Rantwijk, MultiZilla
mv_van_rantwijk at yahoo.com
Tue Jul 17 12:07:58 PDT 2007
Douglas E. Warner wrote:
> After discussion with Dave Townsend today it was determined that it won't be
> necessary for Mozdev to provide SSL connections for the updates.rdf file or
> the XPIs and the downloads will still be able to be secure.
Ah, "SSL connections" now I get it ;)
> In order to do
> this, it's required that the extension owner:
> 1) sign the updates.rdf with a public/private key
> 2) embed the updateHash key for each xpi file inside the updates.rdf file
> Mozilla will be providing a tool to make signing the updates files easy, and
> I'm assuming most extension developers use a tool to generate their
> updates.rdf file currently as well - so this tool would need updated to add
> updateHash (if it doesn't already).
> We feel this constitutes a good workaround for not providing SSL-enabled
> downloads. Let us know what your thoughts and concerns will be and we'll see
> what we can do to address them.
Isn't this assuming that updates.rdf is hosted/handled on/from a.m.o?
Michael Vincent van Rantwijk
- MultiZilla Project Team Lead
- XUL Boot Camp Staff member
- iPhone Application Developer
More information about the Project_owners