←back to thread

All extensions disabled due to expiration of intermediate signing cert

(bugzilla.mozilla.org)
1318 points xvector | 4 comments | 04 May 19 01:31 UTC | HN request time: 0.908s | source
1. M0 ◴[04 May 19 03:05 UTC] No.19824127[source]
They don't use cryptographic timestamps with their signatures ? The certificate might now be invalid, but the signatures were done at a time when it was valid...
replies(1): >>19824413 #
2. fluidcruft ◴[04 May 19 04:20 UTC] No.19824413[source]
The problem is that "time" is fungible and can be forged. The date on a signature doesn't really mean anything.
replies(2): >>19824479 #>>19824706 #
3. userbinator ◴[04 May 19 04:36 UTC] No.19824479[source]
Emphasis on cryptographic timestamps.
4. altfredd ◴[04 May 19 05:50 UTC] No.19824706[source]
This is a very bizarre justification for an obvious bug. Code-signing does not work that way anywhere else — neither in Android, nor on iOS, Windows or any other common platform.

There is a possibility that Mozilla implemented their backwards code-signing model on purpose — for example, it allows them to oust unwanted extensions without explicitly recalling their certificates. But personally I think that they just didn't give the matter enough thought.