>
> Taking the signature into account, the schema that makes the most sense
> to me is:
>
> { "update": { "stable": {...}, "development": {...} }
> "signature": ... }
>
> where "signature" is over the stringified value of "update".
>
I wound up needing to address this same problem for the STARTTLS config
distribution spec (
https://github.com/jsha/starttls-everywhere/blob/master/README.md).
Unfortunately there is no spec for canonicalizing JSON. We could implement
one ourselves but it's likely to get really challenging really fast. More
generally, any attempt to specify a signature internal to the format that
is being signed is a little weird.
What I wound up doing instead was just specifying signatures external to
the file format, e.g. wrap the whole JSON in `gpg --clearsign' or something
similar. I'd suggest the same thing here.
_______________________________________________
HTTPS-Everywhere mailing list
[email protected]
https://lists.eff.org/mailman/listinfo/https-everywhere
