Hi Dimitris, I intend to introduce the remaining discussion topics over the next three weeks. I did not announce an end to the discussion period on purpose, so that we can have as full of a discussion as possible. Also, in the next three weeks, I intend to start summarizing the discussions and coming up with new suggested language on those issues that have been discussed. I expect that during December we will start to solidify the amendments to MRSP (v.2.7.1), and that in January I'll announce a "last call" on the amendments. Following that I will "summarize a consensus that has been reached, and/or state the official position of Mozilla" - see https://wiki.mozilla.org/CA/Updating_Root_Store_Policy.
Part of the discussion that will still need to take place deals with implementation deadlines, timing, etc. Let's discuss that now for the non-controversial items, and then in late December / early January for those that are more contentious (assuming they remain in this batch of changes). Sincerely yours, Ben Wilson Mozilla Root Store On Mon, Nov 9, 2020 at 2:45 AM Dimitris Zacharopoulos via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > > > On 7/11/2020 3:12 μ.μ., Ryan Sleevi wrote: > > > > > > On Sat, Nov 7, 2020 at 4:52 AM Dimitris Zacharopoulos > > <ji...@it.auth.gr <mailto:ji...@it.auth.gr>> wrote: > > > > > > I will try to further explain my thoughts on this. As we all know, > > according to Mozilla Policy "CAs MUST follow and be aware of > > discussions in the mozilla.dev.security.policy > > <https://www.mozilla.org/about/forums/#dev-security-policy> forum, > > where Mozilla's root program is coordinated". I believe Mozilla > > Root store managers' minimum expectations from CAs are to _read > > the messages and understand the content of those messages_. Right > > now, we have [1], [2], [3], [4], [5], [6], [7], [8], [9] > > policy-related threads opened up for discussion since October 15th. > > > > If every post in these threads contained as much information and > > complexity as your recent reply to Clemens, > > > > > > This seems like a strawman argument, ht I don’t think it’s intentional. > > > > You’re arguing that “if things were like this hypothetical situation, > > that would be bad”. However, they aren’t like that situation, as the > > evidence you provided shows. This also goes back to the “what is your > > desired outcome from your previous mail”, and trying to work out what > > a clear call to action to address your concerns. Your previous > > message, especially in the context of your (hypothetical) concern, > > reads like you’re suggesting “Mozilla shouldn’t discuss policy changes > > with the community”. I think we’re all sensitive and aware of the > > desire not to have too many parallels discussions, which is exactly > > why Ben’s been only introducing a few points a week, to facilitate > > that and make progress without overwhelming. > > To the contrary, I want more people to be able to participate in these > discussions, which is precisely why I "complained" about the size of > your response to Clemens :-) Keeping our replies to reasonable levels, > with a mindset that this is an International Internet community and > people might be interested to participate (even auditors that are not > native-English speakers), I believe is a good thing. > > I also see that Ben has introduced a lot of policy proposal topics for > discussion in a short period of time, but I don't know what the > expectations about their "discussion time" are. Should anyone just pick > any topic and start a discussion? That might introduce a lot of parallel > discussions and I'm not sure if this is desirable by Ben. Perhaps we > need some coordination on these topics, for example "please send > feedback for topics 1 and 2 before the end of week X. If no feedback is > received, we'll deem the proposal accepted", something like that, before > moving to other topics. > > > > > As it relates to this thread, or any other thread, it seems the first > > order evaluation for any CA is “Will the policy change”, followed by > > “What do I need to do to meet the policy?”, both of which are still > > very early in this discussion. You’re aware of the policy discussion, > > and you’re aware a decision has not been made yet: isn’t that all you > > need at this point? Unlike some of the other proposals, which require > > action by CAs, this is a proposal that largely requires action by > > auditors, because it touches on the audit framework and scheme. It > > seems like, in terms of expectations for CAs to participate, > > discussing this thread with your auditor is the reasonable step, and > > working with them to engage here. > > > > Hopefully that helps. Your “but what if” is easily answered as “but > > we’re not”, and the “this is a lot, what do I need to do” is simply > > “talk with your auditor and make sure they’re aware of discussions > > here”. That seems a very simple, digestible call to action? > > > > It helps me understand your point of view but it seems that you don't > acknowledge the need to keep these emails to a reasonable and digestible > size, regardless if the intended recipients are auditors, CAs, Relying > Parties. You seem to dismiss my point and the fact that some messages on > this list have been, in fact, very long and very complicated which makes > participation and contributions very difficult. I trust that we are both > interested in truly meeting Mozilla's goal for an open Internet > community (which includes contributions from International > participants), so please help the community by trying to break down > complicated responses into simpler ones, and let's all try to use > shorter answers and to the point. > > Indeed, this particular policy change proposal seems to mainly affect > Auditors, but individual members of this community (either representing > CAs or as Relying Parties) might also be interested to participate, just > as Auditors and Relying Parties may participate in discussions around > policy change proposals that affect CAs. FWIW, I think changing the > rules for auditors also affects CAs because it creates an opportunity > for CAs to have engagements with individual auditor persons, as long as > they are accepted by Mozilla. > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy