Cesar’s Vanilla Blog

White and creamy wtf


Notary is a XUL application that allows extension developers to sign their extensions, although it isn’t clear how well this will work. Signing is ridiculously expensive, and to cover hundreds of extensions would easily cost many tens of thousands. But we have options.

The bare bones of the project has been put up on the wiki. But I am open to suggestions, especially from extension developers on features they want to see.

There isn’t a solid timeline, because much/all of the security XPCOM stuff is undocumented. I put up notes on the wiki about things that are not obvious. Maybe someone should start putting this all together before someone else goes through what I went through.


May 29, 2007 - Posted by | Mozilla

1 Comment »

  1. Cesar, there is no good reaon why signing should be really expensive.

    The fallacy here is thinking Mozilla needs to refer to an external commercial company to handle signing certificate issuance, etc.

    It’s not only expensive, it’s also inedaquate.

    In my view what you say here is just like you were saying Mozilla needs to hire an external company to provide the automatic update infrastructure, and that’s so expensive there’s no chance it will happen, so too bad there won’t automatic upgrade for Firefox.

    It certainly would be ghastly expensive to pay someone to provide the level of service the current update infrastructure has. Mozilla has there a world class solution I think almost only Microsoft can beat.

    Using only infrastructure within Mozilla to handle the signing of extensions, not having to pay anyone, is probably several order of magnitude easier to put in place than the update process.

    And it’s also the correct solution in organizational terms. Mozilla should be the one who decide what is the proper process to give someone a certificate to sign extensions and even more important should be the one freely able to decide to revoke it when it’s being improperly used. And also the one to put in place the most effective way to disseminate the information about revoked certificates.

    So Mozilla should required XUL to be signed by it’s own private CA (whilst allowing knowledgeable people to customize the product to accept other CA).

    Comment by jmdesp | May 30, 2007 | Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: