Given that signtool is used to sign and verify software objects, customers should be able to trust that they have a version of signtool that they can trust - otherwise object signing doesn't make sense. I would like to propose that iPlanet/Mozilla.org, digitally sign the binary and source distributions of signtool and make them available on your web sites. Additionally, allow customers to be able to buy an official CD-ROM from iPlanet/Mozilla.org with signed versions of the signtool binary and source. This way customes won't have to trust the websites, if they prefer to trust official CD-ROMs from the company.
marking signtool bugs as future until 3.3 plan is ready.
Set Target Milestone to NSS 3.3. Assigned the RFE to Bob for evaluation.
Signing out distribution in general would be a good idea, just not for 3.4. bob
Changed the QA contact to Bishakha.