Should we implement a CA-Knockout Add-On? 
Tuesday, September 6, 2011, 04:39 PM
Posted by Administrator
I consider to implement a Mozilla Firefox/Thunderbird/SeaMonkey Add-On with the following functionality.
I'm striving for something that I (or we) could implement within a minimum amount of time, like 24-48 hours.

(1) it embeds my personal Code Signing certificate ("cert pinning").

(2) it (daily) pings a given URL, e.g. https://ca-knockout.kuix.de/knockout/latest.txt

The URL delivers plain text data, 3 rows.
- line 1: version number 1
- line 2: the number of the most recent knockout certificate (a steadily increasing number starting with 1)
- line 3: a base64 encoded signature, which signs the text contained in line 2

(3) the Add-On keeps track of the most recently download knockout certificate

(4) if the signature of the most recent knockout number is confirmed, then the addon will download all missing knockout certs
Let's say, the addon had previously downloaded knockout number 1, and the server now says latest knockout is number 3.
Then the Add-On will download the following URLs:

https://ca-knockout.kuix.de/knockout/2.txt
https://ca-knockout.kuix.de/knockout/3.txt

In particular we can use prefs like "most-recent-known-knockout-number"
and "most-recent-imported-knockout".

(5) Retry downloading each of them in order, until successful and until
most-recent-known-knockout-number equals most-recent-imported-knockout.

(6) the contents of the knockout files like 2.txt is plain text data, 3 rows:
- line 1: version number 1
- line 2: the knockout number (e.g. 2), a single space, and a base64 encoded certificate that should be marked as not trusted
- line 3: a base64 encoded signature, which signs the text contained in line 2

(7) import each knockout certificate that can be verified

(8) Add another feature to the Add-On - allow users to import the files like 2.txt and 3.txt directly, e.g. by copying the text into a dialog. With this feature, if a user is in an environment that blocks connections to host ca-knockout.kuix.de - then users could obtain the knockout instructions via other channels, such as email from friends, or any other source.

(9) make Add-On available and suggest that users install it


view entry ( 4250 views )   |  permalink   |  $star_image$star_image$star_image$star_image$star_image ( 3 / 5071 )


<<First <Back | 1 | 2 | 3 | 4 | 5 | Next> Last>>