> On Thu, 27 Sep 2018 14:52:27 +0000 > Tim Hollebeek via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > > My personal impression is that by the time they are brought up here, > > far too many issues have easily predicted and pre-determined outcomes. > > It is probably true that many issues have predictable outcomes but I think > predictability is on the whole desirable. Are there in fact CA representatives > who'd rather they had no idea how Mozilla would react when there's an issue?
Asserting that the only alternative to pre-determined outcomes is "no idea" is a straw man. If there is a lack of predictability because I can't predict the results of an open and honest deliberation among a diverse community, then yes, I want that. I would actually love to see more widespread participation by community members. Different perspectives are useful. > > I know most of the security and key management people for the payment > > industry very well [1], and they're good people. > > I mean this not sarcastically at all, but almost everybody is "good people". > That's just not enough. I would like to think that I'm "good people" and yet it > certainly would not be a good idea for the Mozilla CA root trust programme to > trust some CA root I have on this PC. Almost everyone is certainly not "good people" in the sense that I meant. Security is a difficult subject, and people who understand it well are rare. It unfortunately also tends to attract the personality type that is keen on finding faults and inherently suspicious of the motivations of others. I have a great deal of respect for many of the people I've met who have both a profound understanding of technical issues and the ability to make sound decisions. If you read the entire long historical list of SHA-1 exchanges, you'll find a profound lack of respect for the opinions of others in many places. That tends to cause people to not participate, in much the same way as it caused me to slowly back away from the conversation at the time. > > I attempted to speak up a few times in various fora but it was pretty > > clear that anything that wasn't security posturing wasn't going to be > > listened to, and finding a practical solution was not on the agenda. > > It was pretty clear sitting in the room that certain persons had > > already made up their minds before they even understood what a payment > > terminal was, how they are managed, and what the costs and risks were > > for each potential alternative. > > If we're being frank, my impression is that First Data lied in their submission to > us and if it came solely to my discretion that would be enough to have justified > telling them "No" on its own the first time. Honestly, First Data is not my favorite company. I tend to disagree with their representatives more often than not. And I'm not asserting they or others should have gotten what they wanted, only that the level of discourse was not where it should have been. This is perhaps less obvious to those who only followed the discussions on the list, and did not participate on the calls and in person. I actually think the tone on m.d.s-p has improved quite a bit in the last year or two. It's one of the reasons I participate here from time to time, where previously I rarely if ever did. I would like to see it continue moving in the right direction. > As to understanding what a payment terminal is, how about "The cheapest > possible device that passes the bare minimum of tests to scrape through" ? Is > that a good characterisation? It is not. Such extreme cynicism is generally a symptom of a lack of objectivity. -Tim
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
