On 16/10/2016 20:55, Ryan Sleevi wrote:
On Saturday, October 15, 2016 at 3:18:22 PM UTC-7, Eric Mill wrote:
On Sat, Oct 15, 2016 at 4:31 AM, Peter Gutmann <pgut...@cs.auckland.ac.nz>
wrote:
The only one who's openly addressed this
seems to be Mozilla.
It would certainly be nice if Mozilla weren't the only openly operated root
program. :)
It seems to put Mozilla in the situation of being the effective first-mover
whether they want to be or not, since they're the only entity hosting
public discussions about what to do. It certainly felt that way with
WorldPay, and Ryan's comments to Kathleen in the other thread about whether
Mozilla could be more aggressive with WoSign if they knew they were not
going to be saddled with first/only-mover disadvantage seems to point to
this dynamic as well.
To be clear: I don't think the fact that this is happening on
mozilla.dev.security.policy is enough to suggest that there aren't
open/transparent programs, or that it's limited to Mozilla's response.
Imagine a hypothetical world where there were multiple, independently approved
root programs - that is, that the software vendor retains final choice in
deciding to include/not include a given certificate. Let's say that these
programs also adopted the principles that Mozilla has - of having a community
driven focus, based on feedback and investigation, and an open period for
review and discussion.
Would this hypothetical world benefit, or be harmed, if these conversations
happened on independent lists? My belief is that it would be harmed - that is,
that having separate root programs operate separate lists would invite all the
same problems that the Common CA Cert Database (aka Salesforce) is trying to
solve, by duplicating effort and activity, without providing new or unique
information.
Instead, we might conclude that these independently operated programs might
benefit from having a common, shared community review and discussion, but then
independently declare their final results - whether to include, remove, or
otherwise sanction or censure. This would allow involved members of the
community a central place to discuss, publicly, and share information and
perspectives, while also avoiding the issues alluded too earlier in the thread
with respect to the antitrust statements of the CA/B Forum.
Whether such a shared list has a name like mozilla.dev.security.policy or some
new email list largely seems irrelevant, and that the status quo, by having a
large and involved membership, might be more preferable than creating yet
another list.
Just a thought ;)
Unfortunately this line of thinking is hugely contradicted by some key
people on this mailing list repeatedly insisting on ignoring any
consequences outside the limited scope of the next release of Firefox.
Over the past few years, this has caused the Mozilla root list to
become less and less useful for the rest of the open source world, a
fact which at least some of the Mozilla-root-list-copying open source
projects seem not to be aware of yet.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
