Nils Maier wrote:
Eddy Nigg (StartCom Ltd.) schrieb:
Hypothetical question: If Mozilla or an independent organization could
provide this service for free and reduce the efforts required to a
minimum, would this solve the problem? Would the various applications,
add-ons etc be digitally signed fr
> > Now I need a private key from ~/.xulapp to sign my object. To the best
> > of my knowledge, I create a certificate request and use ~/.ca to
> > validate it. That is what I did. I then imported the file. This is the
> > output with certutil -L
> > Common Name - Organization
Arrakis wrote:
> Why not use digital certificates provided by CACert. They are free, and
> have high levels of assurity, as opposed to a CAs like Verisign that
> have little to no assurity, and charge a ransom.
>
>
>
Well
1) Not audited
2.) Not in Mozilla, or most other browsers because of #1
3
Eddy Nigg (StartCom Ltd.) schrieb:
> Nils Maier wrote:
>> The aversion to code signing lies more in the money, effort and required
>> knowledge associated with it.
> Hypothetical question: If Mozilla or an independent organization could
> provide this service for free and reduce the efforts require
Why not use digital certificates provided by CACert. They are free, and
have high levels of assurity, as opposed to a CAs like Verisign that
have little to no assurity, and charge a ransom.
Gervase Markham wrote:
> Jean-Marc Desperrier wrote:
>> I agree. *Therefore* Mozilla.org need to have it's
Nils Maier wrote:
The aversion to code signing lies more in the money, effort and required
knowledge associated with it.
Hypothetical question: If Mozilla or an independent organization could
provide this service for free and reduce the efforts required to a
minimum, would this solve the proble
Jean-Marc Desperrier wrote:
> I agree. *Therefore* Mozilla.org need to have it's own code signing
> authority, and only accept code signed by it. You have all the
> competence needed on this group to help you set it up.
Where in this group is there competence and experience in worldwide
identit
Gervase Markham wrote:
> Nelson B wrote:
>> This scheme is intended to make code signatures unnecessary. (Someone
>> at mozilla is allergic to code signing, evidently.) But at the cost that
>> mozilla must be given the new hashes for any new addons and any new
>> updates
>> to addons.
>
> Not a
dev wrote:
> Hey,
> Lets say I have signed "foobar" using crypto.signText("foobar");
> How do I verify that signature?
>
> I used signVer from the NSS tools :
> #./signver -s ./signature
./signver
Usage: signver options
Options:
-a signature file is ASCII
-d certdi
Hey,
Lets say I have signed "foobar" using crypto.signText("foobar");
How do I verify that signature?
I used signVer from the NSS tools :
#./signver -s ./signature
(where signature is a file containing the signature outputted by the
crypto.signText function)
but it gives error
signver: functi
Gervase Markham wrote:
Not allergic; we don't want to accept sucky code-signing certs, and we
don't want app authors to have to pay lot of money for non-sucky ones.
LOLcan you define sucky in relation to code-signing?
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: [EMAIL
Nelson B wrote:
> This scheme is intended to make code signatures unnecessary. (Someone
> at mozilla is allergic to code signing, evidently.) But at the cost that
> mozilla must be given the new hashes for any new addons and any new updates
> to addons.
Not allergic; we don't want to accept suck
Dave Townsend wrote:
> It doesn't cover those that won't pay for the SSL and don't want to host
> on AMO. Yes there are people saying they are in that situation. Numbers
> are difficult to guess at though.
I'm sure there are people saying they are in that situation; there are
people who want so
13 matches
Mail list logo
