This isn't really a code signing certificate, this is just a Chrome thing.

What you're referring to is a certificate that a company pays hundreds or thousands of dollars for and gets from a company like Verisign (are they still in business?). This certificate needs to be treated with utmost care because anyone that gets it can sign an executable or other application saying that it came from a specific company.

These certificates should NOT be used to sign Chrome extensions, because in the Chrome world you can only sign one extension for each certificate because the unique ID is based on a hash of the certificate.

Firefox supports using these certificates to sign add-ons. That's why sometimes when you install Firefox add-ons, you see a company name in the install dialog.

To add to what Anonymous posted below, what Google has essentially done is blacklisted the ID associated with that key.

They want to be proactive and make sure noone else uses that key because any time a Chrome extension signed with that key is installed, it would always overwrite Yahoo Axis.

Chrome keys are used to generate unique IDs for their extensions one key == one ID.

They also blacklist IDs for things like malware.

Blacklisting extensions is done by Mozilla as well based on IDs, only the Firefox IDs are generated by the developer of the add-on.

I'm not sure everyone understands exactly what this file is.

When you create a Chrome extension, if you are not going to submit the Chrome extension to the store, you ask Chrome to package the extension. In this process, Chrome generates a private key. This key has nothing to do with identifying you as the author. It is only used so that you when you update the extension, you can package and sign it using the same key. Everyone has to keep a local copy of this key, because if you lose it, you can never update your extension. It appears Yahoo kept it in their build directory and accidentally packaged it.

Having this private key allows you to build a Chrome extension that when installed overlays the existing Yahoo extension. This is because the private key is how Chrome uniquely identifies an extension.

So yes, this was a dumb mistake. It would allow someone to create an add-on that when installed would overwrite the Yahoo Axis extension. To do this, you would need to create the extension and then convince someone to install it. But if you can convince someone to install it, you can convince them to install any Chrome extension.

This was not giving away "Yahoo's private key," it was giving away "the private key that Chrome generated to allow Yahoo to sign their extension."

There is the remote possibility that Yahoo used a real private key to sign their Chrome extension and not one generated by Chrome. If that's the case, everyone involved in the project should be fired.

The previous EWG was my effort and yes I believe it it failed because of a lack of interest by Mozilla.

The old information is here:

https://wiki.mozilla.org/Enterprise/Old

And yeah, it is sad that the blog came down with the meeting notes.

It looks like the wayback machine caught my back though

http://web.archive.org/web/20080608175739/http://e2pt0.blogspot.com/2007/08/firefox-ewg-meeting-2.html

At least for some posts.

Actually I've built a CCK Wizard for Firefox. It's been around for a while. It doesn't do the installer, but it does a lot of the other stuff: https://addons.mozilla.org/firefox/addon/cck/

Totally agree.

The problem here is usually not new stuff, though. It's things like apps that someone wrote five years ago that noone has touch in years that still need to be maintained. Or third party applications that IBM purchased years ago and didn't buy updates so they are stuck. Or an app where the requirements were done five years ago and it's just now being deployed.

IBM has been battling internal groups trying to get them to support browsers other than IE for 5 years plus (believe me - I was there, and I was involved)

At some point you have to say "this is the future" and get groups to change. Simply sticking your head in the ground and saying "we're stuck on IE" is not a solution.

The internal apps need to be moved to open standards. That's the message the internal groups will be getting here.

Yes. and Yes.

You can hide it completely so it can't be uninstalled.

And you can install it in a central location on the machine.

Accessibility is also a huge issue. IBM has invested heavily into Firefox accessibility.

The deployment is a separate issue, but if you want to package and deploy a customized Firefox like IBM, you can use the CCK to do the customization:

https://addons.mozilla.org/en-US/firefox/addon/2553/

and then you can customize the Firefox installer:

http://kaply.com/weblog/2010/06/18/customizing-the-firefox-installer-on-windows/

> The Client Customization Kit has a URL of http://code.google.com/p/ff-cckwizard/ ?

That's just what I'm using for source code control.

Send him:

https://addons.mozilla.org/en-US/firefox/addon/2553/

The reason the source code isn't hosted at Mozilla anymore is because I didn't want to use Mercurial.