On Saturday, October 15, 2016 at 3:18:22 PM UTC-7, Eric Mill wrote: > On Sat, Oct 15, 2016 at 4:31 AM, Peter Gutmann <pgut...@cs.auckland.ac.nz> > wrote: > > > The only one who's openly addressed this > > seems to be Mozilla. > > > > It would certainly be nice if Mozilla weren't the only openly operated root > program. :) > > It seems to put Mozilla in the situation of being the effective first-mover > whether they want to be or not, since they're the only entity hosting > public discussions about what to do. It certainly felt that way with > WorldPay, and Ryan's comments to Kathleen in the other thread about whether > Mozilla could be more aggressive with WoSign if they knew they were not > going to be saddled with first/only-mover disadvantage seems to point to > this dynamic as well.
To be clear: I don't think the fact that this is happening on mozilla.dev.security.policy is enough to suggest that there aren't open/transparent programs, or that it's limited to Mozilla's response. Imagine a hypothetical world where there were multiple, independently approved root programs - that is, that the software vendor retains final choice in deciding to include/not include a given certificate. Let's say that these programs also adopted the principles that Mozilla has - of having a community driven focus, based on feedback and investigation, and an open period for review and discussion. Would this hypothetical world benefit, or be harmed, if these conversations happened on independent lists? My belief is that it would be harmed - that is, that having separate root programs operate separate lists would invite all the same problems that the Common CA Cert Database (aka Salesforce) is trying to solve, by duplicating effort and activity, without providing new or unique information. Instead, we might conclude that these independently operated programs might benefit from having a common, shared community review and discussion, but then independently declare their final results - whether to include, remove, or otherwise sanction or censure. This would allow involved members of the community a central place to discuss, publicly, and share information and perspectives, while also avoiding the issues alluded too earlier in the thread with respect to the antitrust statements of the CA/B Forum. Whether such a shared list has a name like mozilla.dev.security.policy or some new email list largely seems irrelevant, and that the status quo, by having a large and involved membership, might be more preferable than creating yet another list. Just a thought ;) _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy