Eddy Nigg (StartCom Ltd.) schrieb: > Nils Maier wrote: >> The aversion to code signing lies more in the money, effort and required >> knowledge associated with it. > Hypothetical question: If Mozilla or an independent organization could > provide this service for free and reduce the efforts required to a > minimum, would this solve the problem? Would the various applications, > add-ons etc be digitally signed from then on (policy wise)? > Cannot speak for everybody else, but it would solve the technical issues for me, at least to that point where I can "live" with it. I would be able to host some of my extensions myself, then signed of course. If it was easy to sign stuff then signing test versions wouldn't be a problem either, so that problem would be gone too.
But to be honest I don't really see signing for all under a single CA. This would require (IMO) to have various CAs that provide such certifications for free not just one (or two that are deeply affiliated for that matter). The reason for this is quite simple: one is a monopoly. See TIVO/DRM/GPL. And somebody could sue mozilla, e.g. over some extension infringing some patent. I wouldn't normally care, as I'm German citizen and software patents aren't enforceable here and in many other countries. But that court ordering moco CA to revoke the cert would still prevent me from distributing my legal extension. Oh, and nothing prevent mozilla CA or the independent CA to say "well, we figured it would be best for our profits to charge for our certs; awaiting your payments starting next month". This stuff would affect https-only updates as well, but at least there is some competition/choice in the SSL-Cert CA market. Please note: This was just a more or less quick brainstorming. I might be totally incorrect, missing the point or overlooking totally important stuff ;) Greets Nils _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
