On 9/21/2015 7:07 PM, Kathleen Wilson wrote:
As we did with the discussion about the code signing trust bit, let's list the arguments for and against removing references to the Email trust bit from Mozilla's CA Certificate Policy.
The main comment that I can give is that this is spectacularly bad timing for us to do this discussion. If we must have this discussion now, OK we'll do it, but I would ask instead if this can't be delayed for six months.
The Thunderbird team is trying very hard to get Mozilla to clarify the position of Thunderbird within Mozilla, and at the same time organizing funding external to MoCo that will allow us to have a team of developers that can address some of the complaints that Brian Smith makes about the current state of Thunderbird development. Part of the motivation for external funding is that Thunderbird, as the leading open-source desktop email client, plays a critical role in the worldwide infrastructure supporting end-to-end communications encryption. One way or the other, these issue will be resolved within 6 months, and a new policy toward Thunderbird publicly adopted by Mozilla.
Yes we understand that within parts of MoCo Thunderbird is all but written off. But in spite of years of neglect within Mozilla, Thunderbird is still the #2 product of Mozilla. The ratio of Thunderbird users to Firefox desktop users is relatively static, which is pretty amazing given that Thunderbird has done almost no marketing for years.
The last official statement from Mozilla on Thunderbird, from Mitchell's 2012-07-06 blog posting, stated:
"Much of Mozilla’s leadership — including that of the Thunderbird team — has come to the conclusion that on-going stability is the most important thing ... Mozilla will provide security updates through an Extended Support Release process."
Mozilla initially met this expectation, but started silently reneging on their promises a couple of years ago. Over the last 9 months volunteers have been slowly filling in the missing pieces to overcome this, but that is not the proper long-term solution for a product that is as important to as many people as Thunderbird is. We are putting in place a long-term solution, that may or may not keep Thunderbird as a critical part of the Mozilla organization, but the discussions are still ongoing.
Given all of that, it would be better to delay this discussion. If that is not possible, the most simple response I can give is that Thunderbird is still Mozilla's #2 product, security is an important part of the Mozilla manifesto and brand, and S/MIME is an important Thunderbird security feature that relies on this root certificate infrastructure. If there are issues with how that is handled, let's fix those issues.
R Kent James Chair, Thunderbird Council _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
