Comment Re: cert expiry fail (Score 2) 158
Verifying the signature of a piece of piece code that is already installed is very different from verifying the signature of something that you are about to install.
If I am installing something new, I would not trust a signature if any part of its certificate chain has expired. But if the code has already been installed and if it was trusted before the certificate expired, then I am much safer because I only need to verify that that code has not changed since then (and this can be done in more than one way, not necessarily based on the certificates).
The problem that has hurt Firefox in the past is that some programs were installing unwanted extensions or modifying existing extensions without the user's knowledge or consent. It was easy for the malicious programs to do that by adding or modifying XPI files in the user's profile directory. Signed XPI files are much harder to temper with, as long as the certificate chain is safe. The limited duration for the validity of the certificates is one way to reduce the risks that someone cracks a signing key. (Note that the scope of the defense is limited to the files in the user's profile directory, not the installed files of Firefox itself.) But the problem is simpler if you only want to verify that some files that were already verified in the past have not been modified.
After an extension has been validated and installed, Firefox could record a signature of that code in a safe place so that it could still use that signature even if some parts of the certificate chain have expired. That signature could be the original signature of the package, a locally generated signature, or preferably both. A locally generated signature would be unique for each user, so it would be harder for a malicious program to install an unwanted extension for all users. The "safe place" for the list of validated signatures could also be part of the user's profile but it could be protected against tempering by signing it or even encrypting it with a separate key. And if you want to be extra safe, then use a public/private key pair for that and make sure that the private part is not available without user interaction (password-protected key) and/or without connecting to the Mozilla servers.