Remove Roots used for only Email and CodeSigning?

R Kent James kent at
Tue Sep 22 17:34:44 UTC 2015

On 9/18/2015 1:55 AM, Rob Stradling wrote:
> But since there are no current plans to change Thunderbird...
> Does this mean that Thunderbird still has a use for code signing
> certificates from commercial CAs and, consequently, the NSS code signing
> trust bit?

I'm not very familiar with the issues here. Perhaps Jorge or one of the 
people maintaining the toolkit Addon code would be better at this, as 
Thunderbird simply used (and still uses) the Addon toolkit code.

But given that caveat, the only use I am aware of for certificate 
signing concerned addons that were updated from non-AMO sites (which is 
forbidden for addons that go through AMO review, but is allowed for 
manually installed, unreviewed addons). For those sites, you had a 
choice of whether to use an https:// site with a valid SSL certificate, 
or to install updates using an http:// site with each addon update 
signed. I assume this is where the code signing bit was used?

If this is true, then I don't think that one use, which has a clear 
workaround which is easier to use than code signing, is a valid reason 
to keep the code signing bit usable in Gecko.

But let me ask around about this issue to make sure that my 
understanding is correct.

R. Kent James
Chair, Thunderbird Council

More information about the tb-planning mailing list