On Thu, Mar 4, 2010 at 6:42 AM, Eddy Nigg <eddy_n...@startcom.org> wrote:
Chris Hills wrote:
Perhaps there is place for a fork of firefox (perhaps an "enterprise"
version) that uses the windows certificate store and dispenses with the
local certificate store. I understand that support for MSI installation
is already being worked on.
I think it would make much, much more sense to use the OS store for
private keys across all Firefox versions !
Yes, and with a compromise of the system you'd also loose those installed at
the Mozilla applications. Not nice :S
Well, no, not nice -- but with the fact that even your CA system will only
create a single certificate valid at a time per email address per identity
class (and only a single developer certificate, period), this means that the
user has to go through an arduous process to be able to do more than a single
thing with the certificates you offer. (As you know, the more times a key is
exposed to the world, the higher the chance of compromise.)
This basically means that your PKI design enforces the very "not nice"ness that
you now bemoan.
-Kyle H
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
