Jean-Marc Desperrier wrote: > But I'd like to point out I'm not the only who is doubtful about the > real level of authentication current commercial CA provide for code > signing certificate.
No. I also have my doubts in this area. That's one reason I think EV is important. > - grev : "barrier to entry" on extensions, "level of control over the > extension community which we have so far been entirely unwilling to even > consider" > > I'm sorry there must be some misunderstanding, because it was my > understanding that there was already some level of barrier to entry on > addons.mozilla.org. There is, but the key point is that the additional work to create that barrier falls on the a.m.o. reviewers, not on the extension author. Requiring a certificate would make it harder for the extension author; that would lead to fewer extensions being written. > I really thought that the idea of a community organized review of > extensions would be be something that could match MoFo's philosophy, > even if limiting choice but for good reasons and in a /good/ manner. My > view was not to impose something "coming from above", but to have a > process that every community member could be a part of. I believe there is already something like this, in the a.m.o. sandbox. > An important point also is that there's no use of fake cert for crookery > today, because crooks do go the easiest way always and there's no need > to use fake cert today to do crookery. If and only fake cert become the > only way, fake certs will be used. I entirely agree with that. Gerv _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
