Here's where I stand on this...
- I think it would be premature to remove the Email trust bit at this
point in time.
- I cannot spend any more time on the Email trust bit than I currently do.
- I think we should postpone (to a future version of the policy)
splitting the S/MIME policy into a separate document from the TLS
policy, because that will take extra effort. Someone else needs to
commit to leading the effort to create the S/MIME policy. When a
separate S/MIME policy exists, then we can do the full separation.
- I cannot commit to separating out the discussions for the Email trust
bit until there is a separate S/MIME policy, because separating out the
discussions means more work for me, for little or no benefit to the
community until there is a separate policy.
- I think we should keep status quo in regards to the Email trust bit
for now, and re-evaluate for the following version (e.g. 2.4) of
Mozilla's CA Certificate Policy. Part of that evaluation will be to take
into consideration what work has been done for the S/MIME policy and bug
fixing for S/MIME in NSS between now and then.
- We've heard (mostly anecdotally) that people depend on the Email trust
bit, yet (to my knowledge) no one has stepped up to commit resources to
fixing the issues that have been raised during this discussion.
Therefore, I'm OK with keeping things status quo for a bit longer, but
if no one steps up to do this work in the next year, then I will be less
inclined to continuing to support the Email trust bit.
Thanks again to all of you who thoughtful and constructively contributed
to this discussion.
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
