@chrisneedham A native editor app cannot include its signing cert when distributed to customer machines, even if it's closed source. :) If that signing cert is trusted, and the software has restrictions that a malicious user might want to get around, the signing cert will quickly be extracted and used to sign content generated without those restrictions.
If the WG thinks they're going to safely distribute signing keys in software, we need to get them some security review ASAP.
=> More informations about this toot | View the thread | More toots from jyasskin@hachyderm.io
=> View chrisneedham@w3c.social profile
text/geminiThis content has been proxied by September (3851b).