On Thu, Sep 10, 2015 at 3:54 PM, Peter Kurrasch <[email protected]> wrote:
> It seems to me that the benefits of this proposed change are minimal while > the negative impacts to embedded systems are significant. Perhaps I've > missed something? > > It should be understood that code signing is very important in the > embedded space--just ask Tesla or Jeep/Chrysler or Nest or other IoT > product developers. If we accept that premise, the question immediately > becomes: How do we put together a good code-signing system and how does > (should?) Mozilla products factor in to that system? > I'm not that familiar with the embedded space, but I'm not clear how public code signing certificates help these companies. A public code signing certificate is basically an IV/OV/EV certificate without any DNS Names or IP Addresses in the SAN extension. It is an identity certificate, which identifies either an individual or an organization. The value that it brings is that a relying party can use it to establish their own trust policy. They can choose to trust software signed by "Example Corp Inc." but not "FooCorp LLC". In the embedded space, I would assume there is no human to make these decisions, so I'm not clear on the value of a code signing certificate. How are embedded developers using the Code Signing key usage in NSS? Thanks, Peter _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
