On Sun, Aug 10, 2014 at 08:16:42PM -0700, David E. Ross wrote: > On 8/10/2014 4:09 PM, Matt Palmer wrote: > > On Sat, Aug 09, 2014 at 04:53:46PM -0700, David E. Ross wrote: > >> Anyone wishing to argue this issue further -- to argue in favor of > >> implementing a scheme to encourage all Web sites to be HTTPS with site > >> certificates -- should first read > >> <http://www.2rosenthals.net/wordpress/googles-https-everywhere-initiative-not-so-fast-994/>. > >> The blogger is a certificate reseller and also a computer systems > >> integrator. Thus, he is a professional in the area of computer systems, > >> including security. > > > > How do you get from "resells certificates and bolts parts together to "he is > > a professional in [...] security"? I won't deny that he is in the computer > > systems profession (in the very precise definition of "for a livelihood"), > > but beyond that, you're drawing an *exceptionally* long bow. > > I was a computer systems integrator for over 30 years. I fully > understand what "integrator" means. In my career, sopftware integration > often included dealing with secure systems and how they were made secure.
"Dealing with" != "competent to assess and recommend". I deal with the electrical system in my house, by virtue of using it. Doesn't mean I'm a professional electrican. > Rosenthal is also a reseller of X.509 subscriber certificates, which > should mean he understands Internet security. How do you figure? Being a reseller of SSL certs just means that you're taking people's money and giving them someone else's certificates. Even if a reseller "should" understand Internet security (which isn't the case), is there any evidence to suggest that he does understand Internet security? > Otherwise, how is he allowed to sell such certificates? Who assesses his competence, and is capable of prohibiting him (with meaningful sanctions) if he is not, in fact, competent? > Add those two concepts together. My calculator laughed at me, muttering something about "apples and oranges". I wonder what that means? - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy