On 22/10/2016 14:59, Ryan Sleevi wrote:
On Saturday, October 22, 2016 at 5:11:29 AM UTC-7, Jakob Bohm wrote:
Talking of codesigning, which root store does Chrome use to validate
signatures on the PPAPI plug ins it is currently forcing developers to
switch to?
I've mentioned to you repeatedly that no one uses the code signing store of
Mozilla. Chrome itself does not use a code signing store - as I've also
mentioned, CA-mediated code-signing is largely a historical artifact of
Microsoft's past decisions, and not something to be practiced or encouraged.
OK, I was unsure if Chrome required signing of PPAPI plugins
distributed outside the (being closed) store, and if so what the rules
were (I'll be researching that soon anyway for other reasons).
So such an action has no impact on anyone consuming the code signing certs, so
there's no need to suggest alternatives.
While Microsoft code signing typically uses the Microsoft root store
(obviously), there are many other ecosystems using the object/code
signing trust logic, even though Mozilla is out of the game:
- Some Mozilla clones/forks have kept the broader approach to extension
signature checks that Mozilla replaced by "all extensions must be
signed by addons.mozilla.org", those obviously maintain their own code
signing trust bits.
- Java applets that need extended access use either the Browser root
store, the OS root store or the Oracle root store depending on
circumstances, thus anyone signing Java applets need a CA chaining to
all those stores.
- iOS apps need a signature that chains to the Apple code signing root
store, which currently only trusts Apple's own root for this.
- Apps for some of Adobe's plugin systems use object signing with
unknown root stores.
- PDF document signing tends to use the object signing trust bits
rather than the e-mail signing trust bits.
- And Microsoft is still in business with their various code signature
checks.
I find it somewhat likely that at least some of the above will use a
root store that follows in Mozilla's footsteps regarding distrust of
WoSign and StartCom. Thus the need for those who obtaind OV code
signing certificates from StartCom to start looking for alternatives,
and my suggestion, as a public service, that someone here might chime
in with the names of small/individual developer friendly issuers of
code signing certificates.
In other words, my question was in the general context of this being
the only public forum about root store policies, rather than
specifically about the Mozilla store.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
