Actually, the 'threat model' is more related to versioning (via timestamp) than anything, and to ensure that no malware on my system (I try to keep it malware-free, obviously, but I also know that just because I don't think I've been hacked doesn't mean I haven't been) modifies a local copy I make.
I'm /not/ suggesting that Kathleen isn't doing her job (I haven't interacted with her directly, but by all accounts and by all CA approval activity that's going on she is doing a marvelous job at it). I just want to know which document I'm looking at, if it's the initial or a subsequent copy of it, etc. (if I'm offline for whatever reason, it'd be nice to know which version I'm tailoring comments toward.) That's all. :) -Kyle H On Wed, Dec 17, 2008 at 8:06 AM, Frank Hecker <hec...@mozillafoundation.org> wrote: > I've asked Kathleen Wilson in future to convert the CA information documents > to PDF format before uploading them to Bugzilla. I've also converted the > information document for S-TRUST to PDF myself, and uploaded it to bug > 370627. > > As for digitally signing these PDF documents, I think we need to do more > research on the implications of this. In particular, many people (including > myself) do not use Adobe software to read PDF documents, and I don't know > the extent to which digitally-signed PDF documents will be generally > readable. > > Also, what's the threat model that would dictate digitally signing the CA > information documents? That someone posing as Kathleen or I is going to > upload bogus documents to Bugzilla? We're already relying on Bugzilla > authentication to protect general Bugzilla comments, and digitally signing > the information documents doesn't address protection of Bugzilla comments. > Besides, any such attempt would likely be quickly detected when Kathleen or > I upload documents ourselves. > > Frank > > -- > Frank Hecker > hec...@mozillafoundation.org > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
