On 12/17/2008 06:06 PM, Frank Hecker:
I've asked Kathleen Wilson in future to convert the CA information documents to PDF format before uploading them to Bugzilla. I've also converted the information document for S-TRUST to PDF myself, and uploaded it to bug 370627.
Excellent! I guess Nelson can't complain about slow resolution on this issue. :-)
As for digitally signing these PDF documents, I think we need to do more research on the implications of this. In particular, many people (including myself) do not use Adobe software to read PDF documents, and I don't know the extent to which digitally-signed PDF documents will be generally readable.
Guess you are using some OS X application. I tested with various document viewers and all seemed to work. Albeit the signature wasn't usually presented.
Also, what's the threat model that would dictate digitally signing the CA information documents? That someone posing as Kathleen or I is going to upload bogus documents to Bugzilla? We're already relying on Bugzilla authentication to protect general Bugzilla comments, and digitally signing the information documents doesn't address protection of Bugzilla comments. Besides, any such attempt would likely be quickly detected when Kathleen or I upload documents ourselves.
I think Kyle meant it rather jokingly to sign the PDF and not less than with a StartCom cert ;-) I think it's really not needed for our purpose.
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto