Remove Roots used for only Email and CodeSigning?

Rob Stradling rob.stradling at
Wed Sep 23 07:27:32 UTC 2015

On 22/09/15 18:34, R Kent James wrote:
> On 9/18/2015 1:55 AM, Rob Stradling wrote:
>> But since there are no current plans to change Thunderbird...
>> Does this mean that Thunderbird still has a use for code signing
>> certificates from commercial CAs and, consequently, the NSS code signing
>> trust bit?
> I'm not very familiar with the issues here. Perhaps Jorge or one of the
> people maintaining the toolkit Addon code would be better at this, as
> Thunderbird simply used (and still uses) the Addon toolkit code.
> But given that caveat, the only use I am aware of for certificate
> signing concerned addons that were updated from non-AMO sites (which is
> forbidden for addons that go through AMO review, but is allowed for
> manually installed, unreviewed addons). For those sites, you had a
> choice of whether to use an https:// site with a valid SSL certificate,
> or to install updates using an http:// site with each addon update
> signed. I assume this is where the code signing bit was used?

I'm no expert on addons, but yes, that's where I'd expect the code
signing bit to be used.

> If this is true, then I don't think that one use, which has a clear
> workaround which is easier to use than code signing, is a valid reason
> to keep the code signing bit usable in Gecko.

I agree.

> But let me ask around about this issue to make sure that my
> understanding is correct.


> R. Kent James
> Chair, Thunderbird Council
> @rkentjames

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the tb-planning mailing list