Is this question being asked in the context of the UMO project? If so, the solution is to use signed documents, and not use SSL to downloading them.
I suggested that already on the wiki, not much reaction at the moment, and I don't know if Gerv was asking for MoFo or for his own employer.
Best of all, mozilla products already have built-in support for signed jar/zip/xpi files. There are at least two vendors of free programs for signing JAR files, and one for signed XPI files.
But that is not the only part for UMO. We also need to sign the part where UMO tells if and what new versions are available.
This might require some changes to the architecture to either send this as dated pre-signed messages, or to dynamically sign it.
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
