On Fri, 2015-09-04 at 09:53 +0100, Gervase Markham wrote: > On 03/09/15 19:22, Kathleen Wilson wrote: > > 2) Remove included root certs that only have the Code Signing trust bit > > enabled. To our knowledge, no one is using such root certs via the NSS > > root store. > > This seems like a half-way house. If no-one is using our root store as a > code-signing root store, we should stop supporting the code-signing bit > entirely, remove the bit from all roots, and remove the UI associated > with it in all apps. > > But if we still want to support the code-signing use case, we shouldn't > remove these roots.
Firefox Add-Ons can be signed with code signing certificates. In past versions of Firefox, there was code that checked for a signature in the Add-On, and the user interface that asked for permission to install displayed information found in the signature (the name of the owner of the code signing certificate). I no longer see this information shown by Firefox. I understand that Firefox nowadays requires Add-Ons to be signed by Mozilla. How does that work? Does Mozilla use a code-signing certificate? I looked at an example Add-On, and the signature references certificates with the following names: subject=/OU=Preliminary/C=US/L=Mountain View/O=Addons/ST=CA/CN=jid1-AQqSMBYb0a8ADg@jetpack issuer=/C=US/O=Mozilla Corporation/OU=Mozilla AMO Production Signing Service/CN= production-signing-ca.addons.mozilla.org/emailAddress=services [email protected] subject=/C=US/O=Mozilla Corporation/OU=Mozilla AMO Production Signing Service/CN =production-signing-ca.addons.mozilla.org/emailAddress=services [email protected] issuer=/C=US/O=Mozilla Corporation/OU=Mozilla AMO Production Signing Service/CN=root-ca-production-amo Doesn't that mean that Mozilla Firefox still relies on code signing certificates? Kai _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
