question about xpi code signing

[al_9x]

NS xpi is signed now and the difference that makes in the installation ui is the inclusion of the CN string in the download dialog. With a server cert, the CA validates at a minimum that you are the owner of the domain in the CN field, but with a code cert you are signing essentially an arbitrary string, "informaction" in this case. Is there a mechanism that guarantees that no other CA can sign "informaction" for anyone else? I don't think there is a global registry of these, unlike domains.

[Giorgio Maone]

I don't know what's the general practice, but Comodo (which issued by cert) has been very pedantic (it took 4 weeks for verification, probably because we're in Italy), verifying both the informaction.com whois record, which had to match the certificate data including the street address, the existence of the company, and the non-"virtuality" of it (i.e. incorporation documents and ownership of a at least one physical site with a phone landline, not a VOIP service).
Therefore yes, if you want you may perhaps obtain an "InformAction" certificate, but you need to create a company called InformAction with proper incorporation, land an office with at least one landline phone or electricity bill in the name of "InformAction", an "informaction.xyz" domain whose WHOIS record matches your company and street address. And yet, your certificate won't be "InformAction, via Emilia 33, 90144 Palermo, software@informaction.com" and I could ask its revocation (both of the certificate and of the company) under trademark laws (InformAction is a registered trademark).

[therube]

(Heh. Comodo, with all the lovely press they've received of late. <I don't care one way or the other, but I suspect there are many who feel otherwise.> Bug 470897: Investigate incident with CA that allegedly issued bogus cert for http://www.mozilla...)

[Grumpy Old Lady]

(Heh. Comodo, with all the lovely press they've received of late. <I don't care one way or the other, but I suspect there are many who feel otherwise.> Bug 470897: Investigate incident with CA that allegedly issued bogus cert for http://www.mozilla...)

I care. And it's just more of the same for users: deciding whether to trust a corporation? How do you even begin? Mozilla just as much as Comodo in this case.
I pity the fool.
/Mr T.

[Giorgio Maone]

Heh. Comodo, with all the lovely press they've received of late.

I actually suspected all the rather pedantic double checks were due to the fear of "another stunt from another security guy" after their reseller incident, but I tend to believe their practices are currently above the CA, if not else in order not to be caught with their pants down again.
Notice also that most cheap and presumably not very diligent CAs/resellers don't issue code signing certified because there's not enough demand to justify mass discounts, and among those who issue them very few make them compatible with XPI signing.