This isn't really a code signing certificate, this is just a Chrome thing.
What you're referring to is a certificate that a company pays hundreds or thousands of dollars for and gets from a company like Verisign (are they still in business?). This certificate needs to be treated with utmost care because anyone that gets it can sign an executable or other application saying that it came from a specific company.
These certificates should NOT be used to sign Chrome extensions, because in the Chrome world you can only sign one extension for each certificate because the unique ID is based on a hash of the certificate.
Firefox supports using these certificates to sign add-ons. That's why sometimes when you install Firefox add-ons, you see a company name in the install dialog.
To add to what Anonymous posted below, what Google has essentially done is blacklisted the ID associated with that key.
They want to be proactive and make sure noone else uses that key because any time a Chrome extension signed with that key is installed, it would always overwrite Yahoo Axis.
Chrome keys are used to generate unique IDs for their extensions one key == one ID.
They also blacklist IDs for things like malware.
Blacklisting extensions is done by Mozilla as well based on IDs, only the Firefox IDs are generated by the developer of the add-on.
I'm not sure everyone understands exactly what this file is.
When you create a Chrome extension, if you are not going to submit the Chrome extension to the store, you ask Chrome to package the extension. In this process, Chrome generates a private key. This key has nothing to do with identifying you as the author. It is only used so that you when you update the extension, you can package and sign it using the same key. Everyone has to keep a local copy of this key, because if you lose it, you can never update your extension. It appears Yahoo kept it in their build directory and accidentally packaged it.
Having this private key allows you to build a Chrome extension that when installed overlays the existing Yahoo extension. This is because the private key is how Chrome uniquely identifies an extension.
So yes, this was a dumb mistake. It would allow someone to create an add-on that when installed would overwrite the Yahoo Axis extension. To do this, you would need to create the extension and then convince someone to install it. But if you can convince someone to install it, you can convince them to install any Chrome extension.
This was not giving away "Yahoo's private key," it was giving away "the private key that Chrome generated to allow Yahoo to sign their extension."
There is the remote possibility that Yahoo used a real private key to sign their Chrome extension and not one generated by Chrome. If that's the case, everyone involved in the project should be fired.
Actually I've built a CCK Wizard for Firefox. It's been around for a while.
It doesn't do the installer, but it does a lot of the other stuff:
https://addons.mozilla.org/firefox/addon/cck/
There's no excuse for churning out IE only shit any more. A dev coding IE only is either a) lazy or b) incompetent.
Totally agree.
The problem here is usually not new stuff, though. It's things like apps that someone wrote five years ago that noone has touch in years that still need to be maintained. Or third party applications that IBM purchased years ago and didn't buy updates so they are stuck. Or an app where the requirements were done five years ago and it's just now being deployed.
IBM has been battling internal groups trying to get them to support browsers other than IE for 5 years plus (believe me - I was there, and I was involved)
At some point you have to say "this is the future" and get groups to change. Simply sticking your head in the ground and saying "we're stuck on IE" is not a solution.
The internal apps need to be moved to open standards. That's the message the internal groups will be getting here.
IE has the ability to insert arbitrary HTML which makes table insertion much easier. We had to use DOM manipulation for our demo. I haven't added IE specific code for table insertion yet.
As far as the API goes, we worked very hard to make the API compatible with IE.
If you want to understand how we differ from IE, see:
Slashdot Mirror
This isn't really a code signing certificate, this is just a Chrome thing.
What you're referring to is a certificate that a company pays hundreds or thousands of dollars for and gets from a company like Verisign (are they still in business?). This certificate needs to be treated with utmost care because anyone that gets it can sign an executable or other application saying that it came from a specific company.
These certificates should NOT be used to sign Chrome extensions, because in the Chrome world you can only sign one extension for each certificate because the unique ID is based on a hash of the certificate.
Firefox supports using these certificates to sign add-ons. That's why sometimes when you install Firefox add-ons, you see a company name in the install dialog.
To add to what Anonymous posted below, what Google has essentially done is blacklisted the ID associated with that key.
They want to be proactive and make sure noone else uses that key because any time a Chrome extension signed with that key is installed, it would always overwrite Yahoo Axis.
Chrome keys are used to generate unique IDs for their extensions one key == one ID.
They also blacklist IDs for things like malware.
Blacklisting extensions is done by Mozilla as well based on IDs, only the Firefox IDs are generated by the developer of the add-on.
I'm not sure everyone understands exactly what this file is.
When you create a Chrome extension, if you are not going to submit the Chrome extension to the store, you ask Chrome to package the extension. In this process, Chrome generates a private key. This key has nothing to do with identifying you as the author. It is only used so that you when you update the extension, you can package and sign it using the same key. Everyone has to keep a local copy of this key, because if you lose it, you can never update your extension. It appears Yahoo kept it in their build directory and accidentally packaged it.
Having this private key allows you to build a Chrome extension that when installed overlays the existing Yahoo extension. This is because the private key is how Chrome uniquely identifies an extension.
So yes, this was a dumb mistake. It would allow someone to create an add-on that when installed would overwrite the Yahoo Axis extension. To do this, you would need to create the extension and then convince someone to install it. But if you can convince someone to install it, you can convince them to install any Chrome extension.
This was not giving away "Yahoo's private key," it was giving away "the private key that Chrome generated to allow Yahoo to sign their extension."
There is the remote possibility that Yahoo used a real private key to sign their Chrome extension and not one generated by Chrome. If that's the case, everyone involved in the project should be fired.
The previous EWG was my effort and yes I believe it it failed because of a lack of interest by Mozilla.
The old information is here:
https://wiki.mozilla.org/Enterprise/Old
And yeah, it is sad that the blog came down with the meeting notes.
It looks like the wayback machine caught my back though
http://web.archive.org/web/20080608175739/http://e2pt0.blogspot.com/2007/08/firefox-ewg-meeting-2.html
At least for some posts.
Actually I've built a CCK Wizard for Firefox. It's been around for a while. It doesn't do the installer, but it does a lot of the other stuff: https://addons.mozilla.org/firefox/addon/cck/
There's no excuse for churning out IE only shit any more. A dev coding IE only is either a) lazy or b) incompetent.
Totally agree.
The problem here is usually not new stuff, though. It's things like apps that someone wrote five years ago that noone has touch in years that still need to be maintained. Or third party applications that IBM purchased years ago and didn't buy updates so they are stuck. Or an app where the requirements were done five years ago and it's just now being deployed.
IBM has been battling internal groups trying to get them to support browsers other than IE for 5 years plus (believe me - I was there, and I was involved)
At some point you have to say "this is the future" and get groups to change. Simply sticking your head in the ground and saying "we're stuck on IE" is not a solution.
The internal apps need to be moved to open standards. That's the message the internal groups will be getting here.
Yes. and Yes.
You can hide it completely so it can't be uninstalled.
And you can install it in a central location on the machine.
Accessibility is also a huge issue. IBM has invested heavily into Firefox accessibility.
The deployment is a separate issue, but if you want to package and deploy a customized Firefox like IBM, you can use the CCK to do the customization:
https://addons.mozilla.org/en-US/firefox/addon/2553/
and then you can customize the Firefox installer:
http://kaply.com/weblog/2010/06/18/customizing-the-firefox-installer-on-windows/
> The Client Customization Kit has a URL of http://code.google.com/p/ff-cckwizard/ ?
That's just what I'm using for source code control.
Send him:
https://addons.mozilla.org/en-US/firefox/addon/2553/
The reason the source code isn't hosted at Mozilla anymore is because I didn't want to use Mercurial.
I'm a little disappointed that there wasn't more information in this article about the work that IS going on.
IBM (and other folks) are actively trying to get more people involved in making Firefox better for the enterprise.
We realize this isn't an area that Mozilla Corp. cares much about, so we're trying to rally more folks to support in this arena.
If you want to participate, check out:
http://www.kaply.com/weblog/2008/01/03/firefox-enterprise-newsgroup/
The phone number on the Mirage business card appeared to be a real 866 number - anyone get it?
Interesting. It sounds like you have your browser configured to pretend it is internet explorer? Java doesn't like that....
did you install it over an existing firefox?
Did it migrate settings from another browser?
Stupid question.
Are any other windows open or up at the time?
If you have the file dialog open for some reason in some other window, enter won't work in other browser windows.
http://www.thedigitalbits.com/reviews3/starwarstri logy.html
Speak for yourself.
You're not one of the people that has gotten tons of spam about the rename.
These guys are deluging our mailboxes with the same paragraph OVER and OVER.
IE has the ability to insert arbitrary HTML which makes table insertion much easier. We had to use DOM manipulation for our demo. I haven't added IE specific code for table insertion yet.
As far as the API goes, we worked very hard to make the API compatible with IE.
If you want to understand how we differ from IE, see:
http://www.mozilla.org/editor/ie2midas.html
I have on my todo list to make the demo work better in IE. In particular, I'd love to get the button look and feel working better in IE.
Yes, Web Explorer, the first OS/2 web browser did.
:)
It was called the Web Map and it is still one of the most requested features we have for the OS/2 version of Mozilla.
It essentially presented all your web history in a hierarchical view that was very easy to navigate.
We (IBM) probably even have a patent on it
It's worse than being annoying.
TVs that are especially susceptible to burn-in, like rear projection TVs can actually be damaged by these logos.