Mitchell Stoltz wrote:
>
> NS6 doesn't verify signatures on .xpi files yet. It was considered to be
> of minimal utility because very few vendors outside of Netscape ever
> bothered to sign them.
er, sort of.
Mozilla didn't have PSM, and given US export regulations at the time it
didn't look like Mozilla would ever have PSM. So signature checking had to
be optional.
The cost of the certs dissuaded developers from using SmartUpdate in 4.x --
signature checking had to be optional.
When we started work on XPInstall even *Netscape* didn't have a PSM.
There were usability problems with 4.x signature checking. Verifying the
cert after a long download was pretty bad; the user is invested in the
download and will probably OK the install no matter who its signed by at
that point. This would have taken some work to solve. (example: I found a
SmartUpdate install of LiquidAudio (I think it was) on the Microsoft site.
When it showed me the cert it was signed by some random guy--a MS developer,
I assume--not an official MS cert. What the hell, I installed it anyway--but
for all the good the signature did me it might as well have been unsigned.)
So when it got down to a late project looking to cut features, signature
verification on installs was an obvious choice. End-users don't care about
signatures--they're perfectly happy downloading potential trojan-horse .exe
files off websites without a thought. Corporate IS types care about
signatures and making their users respect them, but Netscape 6.0 was
specifically NOT targeted at Corporate customers because we knew we were
missing too many features in too many areas.
At some point, which Netscape has not announced, Netscape will release a
version aimed at the corporate market with the missing enterprise features
from Communicator. I expect signed XPInstalls to be in that release.
The current thinking is that by default signed installs would be optional,
but the install confirmation dialog will contain a prominent warning for
unsigned installs. There will probably be an option to disallow unsigned
installs entirely, and possibly a way to restrict the install capability to
specific certificates (e.g. only install things signed by the corporate IS
cert).
-Dan Veditz
