Fost1954 wrote, On 2009-01-08 14:39: > Could you or any Firefox developer/programmer answer to my question (see > below): > > 1. Is there a dev-tech-crypto / Firefox developer/programmer who wants to > confirm Kaspar Band's idea that "running Firefox in "Safe Mode" when > generating the key as well as requesting the Certificate with Thawte does > securely prevent unnotified private key transmission ?
The question being asked here is equivalent to asking some developer to go on record saying that there is ABSOLUTELY NO WAY for the escrow warning to be suppressed in a browser running without extensions (which is what safe mode does). I think no developer is willing to do that, for the simple reason that Firefox is a enormous body of code, and I doubt that anyone alive claims to know how every part of it works. (*) This question concerns a part of the browser code that is pretty far removed from the crypto code. It concerns the code that displays rendered messages in windows, and that is not where the crypto developers' expertise lies. But I think the strongest statement you're going to get from any developer will say "I know of no way", rather than "there is no way". > I do not want to be offending, but a simple "I think so"-answer does not > satisfy most of the Firefox-Thawte Users,... Kaspar is one of a very tiny number of Firefox developers who have a good understanding of both the crypto code and (some large part of) the general browser code. I interpret his answer as saying that he believes the statement to be true based on his knowledge of the product, but that he is mindful that (as with all Mozilla developers) his knowledge of Firefox may be incomplete, and so doesn't want to say with certainty that it is true. With that interpretation, Kaspar's answer is good enough for me. But that's only my interpretation. I'm trying not to put those words in Kaspar's mouth. Kaspar, feel free to correct my interpretation. Fost, You might be able to get some developer who works in a part of the browser unrelated to crypto to make a stronger statement about this. But those folks don't participate in this mailing list/newsgroup, so you'll have to ask the question elsewhere to get such an answer. (*): I know this is one of Ian's concerns. Ian, you're already on record about that, so I think that point need not be embellished in this thread. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
