[Project_owners] Secure Updates for Firefox 3

Michael Vincent van Rantwijk, MultiZilla mv_van_rantwijk at yahoo.com
Tue Jul 17 12:07:58 PDT 2007


Douglas E. Warner wrote:
> After discussion with Dave Townsend today it was determined that it won't be 
> necessary for Mozdev to provide SSL connections for the updates.rdf file or 
> the XPIs and the downloads will still be able to be secure.  

Ah, "SSL connections" now I get it ;)

> In order to do 
> this, it's required that the extension owner:
> 
> 1) sign the updates.rdf with a public/private key
> 2) embed the updateHash key for each xpi file inside the updates.rdf file
> 
> Mozilla will be providing a tool to make signing the updates files easy, and 
> I'm assuming most extension developers use a tool to generate their 
> updates.rdf file currently as well - so this tool would need updated to add 
> updateHash (if it doesn't already).
> 
> We feel this constitutes a good workaround for not providing SSL-enabled 
> downloads.  Let us know what your thoughts and concerns will be and we'll see 
> what we can do to address them.
> 
> -Doug

Isn't this assuming that updates.rdf is hosted/handled on/from a.m.o?

-- 
Michael Vincent van Rantwijk
- MultiZilla Project Team Lead
- XUL Boot Camp Staff member
- iPhone Application Developer



More information about the Project_owners mailing list