|
|
|
|
|
|
by nolist_policy
453 days ago
|
|
|
Your links apply to public pki certificates. Now, I didn't read the source code, but Mozillas wording implies they use a custom pki to sign extentions. Given that most (all?) root programs only certify host names or email addresses (S/MIME), it is reasonable for Mozilla to run a custom pki for this. And that neccesarily requires shipping/pinning the root certificates. Actually this whole discussion is moot, because Firefox uses (and ships with) the Mozilla Root Program. So it can not not pin certificates, because that is the whole point of a root program. Looks like we all learned something today. |
|
|
> Firefox uses (and ships with) the Mozilla Root Program
> can not not pin certificates
Shipping with a certificate store is by definition, pinning. So not only can it but your own post states it is when it says "and ships with".