Remove Roots used for only Email and CodeSigning?
R Kent James
kent at caspia.com
Tue Sep 22 17:34:44 UTC 2015
On 9/18/2015 1:55 AM, Rob Stradling wrote:
> But since there are no current plans to change Thunderbird...
> Does this mean that Thunderbird still has a use for code signing
> certificates from commercial CAs and, consequently, the NSS code signing
> trust bit?
I'm not very familiar with the issues here. Perhaps Jorge or one of the
people maintaining the toolkit Addon code would be better at this, as
Thunderbird simply used (and still uses) the Addon toolkit code.
But given that caveat, the only use I am aware of for certificate
signing concerned addons that were updated from non-AMO sites (which is
forbidden for addons that go through AMO review, but is allowed for
manually installed, unreviewed addons). For those sites, you had a
choice of whether to use an https:// site with a valid SSL certificate,
or to install updates using an http:// site with each addon update
signed. I assume this is where the code signing bit was used?
If this is true, then I don't think that one use, which has a clear
workaround which is easier to use than code signing, is a valid reason
to keep the code signing bit usable in Gecko.
But let me ask around about this issue to make sure that my
understanding is correct.
R. Kent James
Chair, Thunderbird Council
More information about the tb-planning