[Project_owners] XPI install still vulnerable to MITM attacks on mozdev.org

David Boswell davidwboswell at yahoo.com
Wed Jul 18 08:50:44 PDT 2007


> Myk said to have troubles when people start using the mozdev.org 
> certificate for other thingsIs this "no go" just a technical, or a 
> political decision of mozdev.org? , like updates.rdf for examples, is

> this perhaps the reason, or what else is it that you guys are so 
> reluctant to implement this?

I think it makes the most sense for mozdev to follow AMO's policy in
this matter.  This will benefit project owners because they won't need
to worry about dealing with two separate systems for installations and
downloads.  

I also don't think we have been reluctant to implement this feature. 
We've evaluated using the mozdev cert for downloads and installations
and decided that this is unnecessary.  For some background, this issue
came up earlier this year and we decided it wasn't needed then as well.

Evaluate code-signing certificate for XPI downloads
https://www.mozdev.org/bugs/show_bug.cgi?id=15482 

I can understand if there is disagreement about this matter because it
is complicated and AMO's policy about this is changing right now as
well.  I suggest we keep tracking this and change our plans as needed.

David


More information about the Project_owners mailing list