On Fri, Feb 13, 2015 at 09:54:25AM +0100, Kurt Roeckx wrote: > On 2015-02-13 01:14, Botond Ballo wrote: > >One concern which I don't feel has been sufficiently emphasized, is > >the way in which this proposal would make our users vulnerable to > >censorship. > > What I've been wondering is who can sign? Is Mozilla the only one that can > sign it or can a signature from a code signing certificate that is in the > trust store be used? I think since we're signing code, we should rely on > any code signing certificate. But for people that find that expensive > Mozilla could sign it for them.
The linked post indicates that only Mozilla will be signing, and the attestation is not as to the identity of the originator, but as to the fact that the code is not malicious. This scheme is one of code whitelisting, not identity management, thus identity certificates, code signing or otherwise, are irrelevant. I too believe that the browser should allow the installation of locally-trusted keys for distribution of locally signed extensions within an enterprise or for local development or testing. However, it's not my codebase, so I'm not going to beat my chest and demand that Something Be Done (as many of the commenters on the post did). Having to run an unbranded build just to do extension development seems a bit over the top, and it re-exposes the user up to the security risks of malicious extensions. As to censorship, Mozilla already has that capability with its addon blacklisting, as was mentioned by the article author in the comments. Whether the censorship could be "quieter" in an extension signing world, by simply not issuing a signature, as opposed to publishing a blacklist, is something worth discussing further. - Matt -- I tend to think of "solution" as just a pretentious term for "thingy". Doing that word substitution in my head makes IT marketing literature somewhat more tolerable. -- lutchann, in http://lwn.net/Articles/124703/ _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy