We need a form where Developers with an AMO account can request certificates to sign their add-ons. The process needs to be designed to be asynchronous because there may be a manual review process involved, and we'll definitely have to build in anti-abuse mechanisms to prevent people from swamping us with bogus requests. As part of the request process we must present our Terms of Service and get agreement from the developer before proceeding. Certificates will be tied to the ID of the add-on so we will need at least that much information. If we're doing manual review of partners we may need address and phone number and other identifying information. When granted the certificate should not simply be made available, we should mail a link to the email address registered to that AMO account to verify its existence. We should also store that email with the records of issued certs in case the user later changes the email on their account.

What is the current plan for addressing this? Right now, https://wiki.mozilla.org/Addons/Extension_Signing#FAQ states, inter alia: > What about private add-ons used in enterprise environments? > We haven't announced our plan for this case yet. Stay tuned. In the interim, ESR will not support > signing at least until version 45, which won't come out until 2016. and > How does the signing process work for unlisted add-ons? > - For unlisted add-ons, files submitted for signing will go through an automated review process. > If they pass this review, they are automatically signed and a download link is sent back to the > developer. This process should normally take seconds. If the file doesn't pass review, the > developer will have the option to request a manual review, which should take less than two days. > This is not the same process that currently applies to AMO add-ons, which has been typically > slower. > - There is an API you can use for signing. This doesn't address the case of being able to sign an extension without having to upload the complete code to AMO ("offline signing"). For private add-ons, there should be an option for signing without having to upload the complete XPI, IMO.

This bug was filed early and I don't know the current plan on the AMO side of things. I suggest using the link for further discussion in that article rather than this bug: https://wiki.mozilla.org/Addons/Extension_Signing#Further_discussion

this isn't part of the initial plan. If we find we need to revisit we will - but for now it's not on the radar in 2016.