Sent from my iPhone. Please excuse brevity. > On Sep 24, 2015, at 08:56, Richard Wang <[email protected]> wrote: > > I think FireFox plugin XPI need to be signed, this is the usage.
Those are signed with a specific Mozilla-owned authority, which is independent of the root program. XPI signing does not rely on the code signing trust bit. > > > Regards, > > Richard > >>> On Sep 24, 2015, at 20:53, Gervase Markham <[email protected]> wrote: >>> >>> On 24/09/15 02:58, Peter Kurrasch wrote: >>> I suppose my comment was not as clear as I intended but, yes, I think >>> Mozilla's commitment to openness is a reason to keep the code sign bit >>> and continue to review CA inclusion requests for their code signing >>> roots. I'm not aware of another organization who is in a similar >>> position as Mozilla with a similar commitment to openness who could >>> carry this work forward if the decision is made to remove the code >>> signing trust bit. >> >> But that argument carries very little weight if no-one actually pays >> attention to our code-signing trust bit. Does anyone? >> >> If it's not useful to anyone, why keep it? >> >> Gerv >> >> >> _______________________________________________ >> dev-security-policy mailing list >> [email protected] >> https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
