On 11/09/15 13:05, Gervase Markham wrote: > On 08/09/15 10:54, Rob Stradling wrote: >> Assuming this is still Mozilla's plan, please would you clarify which >> versions of Firefox and Thunderbird will be (or were?) the first >> versions that won't accept "normal CA-issued object-signing certificates" ? > > Extension signing was historically very rare, so I'm not sure what our > new signing system would do when faced with an extension which is > already signed. (Is that what you are asking?)
Yes, that's what I'm asking. I know we have some customers (I've no idea how many) who have signed extensions using code signing certs we've issued, so it would be useful to know exactly when these signatures will cease to "work". > Basically, it just put > the signer's name in the install dialog, AFAIAA. > >> (I see the Timeline at [2], but it's not clear to me if the old >> mechanism is being phased out at the same time the new mechanism is >> being phased in, or if both mechanisms will run in parallel for a while >> before the old mechanism is then phased out). > > https://bugzilla.mozilla.org/show_bug.cgi?id=1203584 suggests that the > new target for the new system is Firefox 43/44. So currently there is no > requirement that addons be signed. > > https://wiki.mozilla.org/RapidRelease/Calendar > > I assume that once this is required, it will be required - i.e. Firefox > will look for a Mozilla signature, and other signatures will not make > any difference. I think that's likely, but confirmation of this would be useful. -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
