Thanks for sharing this Jeremy. I'm still reading through it myself but one thing that jumps out at me is the implicit(?) allowing for the same key to be used for SSL and code signing.
From a security standpoint that's a horrible idea. I'll elaborate if desired, but I first wanted to find out what the current thinking is among CABF participants regarding this practice. Has there been any discussion? I don't know that Mozilla has an opinion on it? Thanks. Original Message From: Jeremy Rowley Sent: Monday, August 25, 2014 5:46 PM The CAB Forum released a proposed new baseline requirements around code signing today that might be of interest to participants here. You can see the document here: https://cabforum.org/2014/08/25/cabrowser-forum-releases-code-signing-baseline-requirements-public-comment-draft/ Public comments and feedback are welcome. Jeremy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
