On Feb 12, 2014, at 6:55 PM, Brian Smith wrote: > In bug 896620 [1], Marco Castelluccio implemented a new app cert > verification mechanism on top of the new insanity::pkix certificate > verification library. I'm in the process of making some modifications > to his work so that we can land it very soon. > > See also bug 889744 [2], where reviewers have had difficulty figuring > out how to get the reviewer cert onto their Android phone. > > One effect of this new cert verification is that we now have more > flexibility in how we choose which certificates are trusted. In > particular, we will now be able to trust a particular root certificate > for one validation, and then trust a different root certificate for a > different validation. Previously, we always had to trust all installed > root certificates (that were trusted for object signing) for every > validation. > > This potentially enables us to make the "reviewer cert" mechanism much > simpler. I would like to change it so it works like this: > > 1. Just like before, we would continue to have separate root > certificates for production use and for app review. > > 2. Just like before, we would continue to use the > dom.mozApps.signed_apps_installable_from preference to choose which > domains can install signed apps. > > 3. Unlike before, if the path component of the URL of the page from > which you are installing the app starts with "/reviewers/", then we > would automatically verify the app signature using the reviewer root > instead of the production root.
What is the process for getting a app signed by the reviewer cert? Is it as same as production? Stating the obvious, but apps can be installed from any location so won't this also special case apps installed from places like http://foo.com/reviewers/ ? Couldn't an app developer just download their app from the reviewer interface (not sure if URLs are auth restricted), then host it somewhere else, and bypass the review process entirely? > > 4. Nobody would ever have to root their phone so they can sneak the > reviewer cert onto the device; Gecko (and thus FxDesktop, FxAndroid, > and FirefoxOS) would already know about the reviewer cert from the > beginning. > > This proposal hinges on the idea that app reviewers will always > install apps that they are reviewing from > https://marketplace.firefox.com/reviewers/*. Is this reasonable? It > feels a little dirty, but I think that the current reviewer cert > mechanism has been so painful to people that the benefit is worth the > dirtiness. > > I also propose to uplift these changes to Gecko 29 so that we can fix > this problem in FxAndroid 29. Hopefully FxDesktop 29 will also be able > to make use of it. > > I'm planning to implement this tomorrow, assuming there are no objections. > > [1] https://bugzilla.mozilla.org/show_bug.cgi?id=896620 > [2] https://bugzilla.mozilla.org/show_bug.cgi?id=889744 > > Cheers, > Brian > -- > Mozilla Networking/Crypto/Security (Necko/NSS/PSM) > _______________________________________________ > dev-webapps mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-webapps _______________________________________________ dev-webapps mailing list [email protected] https://lists.mozilla.org/listinfo/dev-webapps
