[Chris2048]

No, how it should work is each extension is associated with a private key that is registered with a specific individual or legal entity and implies some kind of liability for anything signed with that key - and if/when the key changes (or the associated credentials), users will be explicitely alerted and need to re-authenticate the plugin.

If the old owner gives their key to the new owner, then they should be on the hook for it. I was thinking of this yesterday, as I think this is also how domains should work.

[dragonmost]

How does this safe guards against having the extension under a company and selling that company off. Still the same entity, different owners, different "incentives".

[Chris2048]

Assuming the new owner is a director of the new company, they are now liable. Or possibly the previous owner, if they handed over the key as an asset.