On 2015-02-13 01:14, Botond Ballo wrote:
One concern which I don't feel has been sufficiently emphasized, is the way in which this proposal would make our users vulnerable to censorship.
What I've been wondering is who can sign? Is Mozilla the only one that can sign it or can a signature from a code signing certificate that is in the trust store be used? I think since we're signing code, we should rely on any code signing certificate. But for people that find that expensive Mozilla could sign it for them.
I think that should address all concerns I've seen so far. It should allow the signing to be checked in all versions and developers could add their test certificate to the browser.
Kurt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
