MozillaWiki

Apps/WebApplicationReceipt/GenerationService: Difference between revisions

Page Discussion

Apps/WebApplicationReceipt/GenerationService (view source)

Revision as of 21:40, 29 March 2012

40 bytes added ,  29 March 2012
→‎Appendix B: How to distribute the public keys?
Line 74: Line 74:
The straightforward approach is to place them on an SSL-protected website.  We would then be vulnerable to any attack which can compromise SSL.
The straightforward approach is to place them on an SSL-protected website.  We would then be vulnerable to any attack which can compromise SSL.


Rather than invent a new scheme, mhanson proposes to use an RFC5785-style ".well-known" file, containing a LINK with a REL of "receipt-verification-keys", which points to a file containing an array of [http://tools.ietf.org/id/draft-jones-json-web-key.txt JSON Web Keys].
Rather than invent a new scheme, mhanson proposes to use an RFC5785 / RFC6415 compliant ".well-known/host-meta" file, which is an XRD containing a LINK with a REL of "receipt-verification-keys", which points to a file containing an array of [http://tools.ietf.org/id/draft-jones-json-web-key.txt JSON Web Keys].


=== Appendix C: Key Compromise and Receipt Reissuance ===
=== Appendix C: Key Compromise and Receipt Reissuance ===
Mhanson
348

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/414117"