Thanks for sharing this correspondence, Richard. I'm not sure the committee fully appreciates the scope of the problem but it's good to see them make an effort. I was actually surprised that the committee seems to understand as much as they do so perhaps this will be just a first step in a process.
Regarding the specific questions asked and answered I would have liked to see the idea of compatibility addressed in a more straightforward fashion. (I'm assuming this is what the letter had in mind when talking about stability?) As you know, the root store is a fixed component with the browser and the only way to change it is to update your browser. Not everyone updates his or her browser, for reasons good, bad, understandable, and so forth. This situation creates certain challenges for website owners when an important behavioral difference appears between versions. If the different browser versions also contain contradictory information in terms of the trusted roots, the software which validates certs, and compliance with government regulations, the potential exists for "good" websites to become inaccessible. It certainly doesn't benefit anyone when that happens. Obviously this stuff comes up all the time when we discuss the roots and such, but the committee might not have considered it. The extent to which the committee might like to implement regulations or make changes to them over time, they should keep this in mind. I'm not sure it's a technical limitation but it is a limitation nonetheless. Just some thoughts.... Original Message From: Richard Barnes Sent: Tuesday, June 30, 2015 1:37 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Letter from US House of Representatives Dear dev.security.policy, I wanted to let you all know of some correspondence that happened recently between Mozilla and the US Congress. On June 9, the House of Representatives Committee on Energy and Commerce sent a letter [1] to Mozilla asking for our opinion on the "restricting CAs run by governments to issuing certificates for their own properties within their ccTLDs". Mozilla security and policy staff wrote a reply [2] to this letter, highlighting the importance of our open process, and outlining some of the arguments on both sides of the question that were raised in earlier threads on this mailing list. Our reply was delivered June 23. Obviously, we can't change the letter now, but if you have any thoughts or concerns about this interaction, please feel free to reply in this thread. --Richard [1] https://energycommerce.house.gov/sites/republicans.energycommerce.house.gov/files/114/Letters/20150609Mozilla.pdf [2] http://blog.mozilla.org/netpolicy/files/2015/06/Mozilla-Response-to-Congressional-letter-on-CAs-signed.pdf _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy