Eddy Nigg wrote:
no CA was here admitted under these conditions for having the code
signing bit turned on.
I'm not saying that at some point in PKI history this wasn't done. It's
not done today and fee free to publicly name the CA which does that.
Last I checked there definitively were some
Last I checked there definitively were some code signing certificates
basically issued under the terms of If the credit card check comes
back OK, issue it. It's a little while ago thought.
But really. It's *hard* to do better than that, better than Send us
by fax our doctored ID so that we
On Feb 6, 2010, at 10:43 AM, Eddy Nigg wrote:
On 02/06/2010 08:30 PM, Lucas Adamski:
I don't think it would have made a tremendous difference here. One
of them was likely infected accidentally (only one version of the
addon contained malware and the developer is actively communicating
On 02/08/2010 09:28 PM, Lucas Adamski:
In this case perhaps - in another case you perhaps will stay with the
damage and never hear from the developer.
The point is even a well legitimate intentioned developer with a code
signing cert could ship malware by accident.
Right - and I believe
I think such a document could go a long way to help people understand how
Mozilla protects them, the limitations that are faced, and what happens when
something goes wrong. If they still feel like it isn't enough, then they can
be prompted to suggest improvements to the process.
Speaking of
