Hi,
sajolida wrote (07 May 2015 16:12:52 GMT) :
> We also updated the blueprint with some more implementation information.
>     https://tails.boum.org/blueprint/bootstrapping/extension/
Impressive. I took a look and pushed a few nitpicking changes. A few
comments and suggestions follow:
> The v1 part of the URL corresponds to the version of the extension.
I would suggest giving its own versioning to the URL scheme used by
the extension, instead of re-using the extension's versioning.
Otherwise, we'll have to maintain more parallel copies of the same
files on our website, and then it'll require tools and automation, and
then someone will have to write the code and review it and make it
good enough, and then there will be bugs and maintenance burden, etc.,
you know the drill => the less often that URL scheme version changes,
the better.
Five minutes later, on second thought: or perhaps the idea is to only
support *one* version of the extension at a given time? If that's the
case, then the extension will need to detect when it's not supported
anymore (how?), and to tell the user about it, and then it'll have to
violate the "must not embed any user-visible string in its code"
principle. Food for thought :)
> ISO DESCRIPTION FILE
Just a semi-random suggestion: perhaps including a link to the release
notes would give more flexibility in the future. E.g. it might be nice
to point users at the release notes while they're downloading the ISO
in order to do a full upgrade. Perhaps that can be handled on the
website side. Well, it's cheap to stuff this info to the IDF (!), and
doing it now may avoid having to deal with an IDF format change in the
future, so if it were me, I would just do it.
My only remaining comment is that the threat model doesn't mention
attacks, from inside the browser, on the web page that does the
verification. Of course, I know you're still waiting for feedback from
security experts in this field, so my suggestion may seem premature.
However, it seems to me that the entire design of this new bootstrap
process relies on the integrity of web pages retrieved from our web
site and displayed in a web browser, so perhaps it's not too early to
clarify that we don't try to protect against this specific type
of attacks.
And then, the feedback you'll get will allow us to assess how big
a risk it really is, even if it's probably too late for it to
substantially affect the entire new bootstrapping process as it has
been designed.
Cheers,
-- 
intrigeri