Kai Engert wrote: > Nelson B schrieb: >> Dave Townsend wrote: >> >>> Nelson Bolyard wrote: >>> >>>> $18/year is too expensive, eh? >>>> >>> Heh, this is true. My attempts to find cheap SSL certificates had only >>> yielded $100/per year jobs. Given that they are not that expensive I >>> have started doing a straw poll of authors to see whether that would be >>> too much or not. >>> >> I have heard that SSL server certs are available for FREE from Startcom >> (one of the CAs already known to mozilla products) at this web page: >> http://cert.startcom.org/ > > Wouldn't he require an object-signing aka code-signing cert? > Are those available for a low price, too?
As I understand it, presently the downloads of mozilla addons are validated not with code signatures but by the following method: A hash of the file is stored on an https server operated by mozilla, the actual file may be downloaded from anywhere, by any means including ftp, but it must have the expected hash to be downloaded. (OK so far.) This scheme is intended to make code signatures unnecessary. (Someone at mozilla is allergic to code signing, evidently.) But at the cost that mozilla must be given the new hashes for any new addons and any new updates to addons. The issue has to do with automated downloading of updates to addons. Some makers of addons don't want to have to coordinate distribution of addon updates with mozilla. They don't want to have to give new hashes to mozilla for every update, as I understand it. So mozilla wants to accommodate them, WITHOUT requiring them to sign their code. So, the current idea being explored (as I understand it) is to allow others to automatically download their addons (or rather, updates to their addons) from their own servers, as long as their own servers are https servers. I think all this aversion to code signing merely demonstrates a lack of commitment to user security. (Frankly, Microsoft now seems to have the stronger position with respect to requiring strongly authenticated code for downloading of updates.) But I am merely an observer of all this evolution. -- Nelson B _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
