On Fri, 16 Mar 2012 13:16:54 -0700 Jonas Sicking wrote: > It would > have to be through some mechanism other than through the web server to > add any level of security.
>> It could use a few gpg keyservers and a mozilla website and take the average >> reporting >> any odd keys to mozilla. Or even better if harware bundling is not available and considering GSM decryptability and rogue CAs. It could contact the users desktop firefox browser if permitted or just for this check over a ssl connection that only accepts certs issued by the Mozilla CA. Using the likely non GSM connection for verifying the master keys, though both could be using the same wifi. _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
