As I stated in my first mail, the topic is likely to spark lots of ideas and proposals. http://secclab.mozdev.org and http://www.sourceforge.net/projects/formx/ seem like interesting forums to discuss/investigate future implementation and I look forward having more time to go further. But looking at the newsgroup, there are things I have not seen challenged (yet?):
- there is a need of a function to sign "stuff" using Mozilla.
- there is/was a function called crypto.signText() in Netscape that provided that feature in a way that is "good enough".
- there are people wanting this function in Mozilla.
- there is a patch http://bugzilla.mozilla.org/show_bug.cgi?id=29152
that implements successfully crypto.signText() in Mozilla.
The next logical step would be to include that patch in the Mozilla CVS. The "bug" has been classified as "P3" "Enhancement" with a Target Milestone "Futur" for PSM 2.0. I agree to that this is not a critical/show-stopper "bug". But I don't understand several :
- why this feature is so low on the TODO list and constantly pushed back (but this is probably subjective) ?
- why is fixing a feature regression called enhancement ?
I've been doing some digging into these questions, and the answers I've received weren't what I expected them to be. They're potentially stronger reasons than I'd imagined. As I understand them, they are:
We should be implementing standard solutions, not proprietary ones. The signText feature is seen as proprietary. XML signatures and XML encryption, on the other hand, are seen as standard.
(Re)Implementing proprietary solutions instead of standard ones contradicts the message about being really committed to standards.
Defending the implementation of proprietary features gives the competition justification for doing the same thing.
Work on XML Signatures is being considered.
I know this might sound like a typical user enhancement request: "Why isn't this feature in ?", "This is important", etc... But it's not something superficial, esthetic or comfortable. It's a feature that excludes or will exclude Mozilla from being an acceptable browser: if you don't believe me look at the bug reports and in the newsgroup, you'll see people that *need* this function for their application to support Mozilla.
If it "excludes Mozilla from being an acceptable browser", then what other browsers are not presently excluded, and what specific feature(s) of those browsers are the basis for them not being excluded, with respect to the need to "sign stuff"?
-- Nelson Speaking only for myself
