I will try to further explain my thoughts on this. As we all know,
according to Mozilla Policy "CAs MUST follow and be aware of discussions
in the mozilla.dev.security.policy
<https://www.mozilla.org/about/forums/#dev-security-policy> forum, where
Mozilla's root program is coordinated". I believe Mozilla Root store
managers' minimum expectations from CAs are to _read the messages and
understand the content of those messages_. Right now, we have [1], [2],
[3], [4], [5], [6], [7], [8], [9] policy-related threads opened up for
discussion since October 15th.
If every post in these threads contained as much information and
complexity as your recent reply to Clemens, I think it eventually
"abuses" the requirement that CAs must follow discussions in m.d.s.p.
and leads to fatigue. Understanding the complicated English language
used, especially for non-Native English speakers, is a very challenging
and difficult task of its own. Therefore, I think it is unreasonable for
Mozilla Root store managers to expect that CAs will follow and
understand all of these discussions if these threads are bombarded with
long and complicate emails that only very few will be able to read and
understand.
I think sending specific questions is a good advice and I will try to do
that next week, but please try to also consider and respect the fact
that CAs have a finite set of resources to work on these issues, among
other duties. An unexpected increase in the volume of information CAs
must follow, creates a risk that something critical might be missed,
despite the good efforts of CAs having allocated the necessary resources
to monitor these lists and Bugzilla incidents.
I obviously can't suggest anyone to post more or less, each person has
the right to post whatever he/she deems necessary. I just wanted you to
know, as a peer to this Module, that some participants of this Root
Program want to contribute and continue to do so, and it would help
tremendously if some messages were shorter and simpler to read. Perhaps
breaking down your long reply into more than one messages might make
them easier to process, I don't know.
Thanks for listening :-)
Dimitris.
[1]:
https://groups.google.com/g/mozilla.dev.security.policy/c/4fhP4iV4ut4/m/WQknrWbhAAAJ
[2]:
https://groups.google.com/g/mozilla.dev.security.policy/c/ZFLsguJyFDo/m/Tmn5rcXhAAAJ
[3]:
https://groups.google.com/g/mozilla.dev.security.policy/c/oJiMmvAJXdI/m/ZhH6oLwpAAAJ
[4]:
https://groups.google.com/g/mozilla.dev.security.policy/c/3sW3_cRBrfo/m/ErldH8JWAQAJ
[5]:
https://groups.google.com/g/mozilla.dev.security.policy/c/Oqd2iKCFELI/m/f9Kfs0M0BAAJ
[6]:
https://groups.google.com/g/mozilla.dev.security.policy/c/DChXLJrMwag/m/uGpEqiEcBgAJ
[7]:
https://groups.google.com/g/mozilla.dev.security.policy/c/nMrORsPPcds/m/hVahATyTBwAJ
[8]:
https://groups.google.com/g/mozilla.dev.security.policy/c/rbSFMYKlfI4/m/3kvOhydWAQAJ
[9]:
https://groups.google.com/g/mozilla.dev.security.policy/c/xk3BanrcljY/m/8dFyM-5pAQAJ
On 2020-11-07 1:40 π.μ., Ryan Sleevi via dev-security-policy wrote:
On Fri, Nov 6, 2020 at 6:08 PM Dimitris Zacharopoulos via
dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
Can other people, except Ryan, follow this thread? I certainly can't. Too
much information, too much text, too many assumptions, makes it impossible
to meaningfully participate in the discussion.
These are complex topics, for sure, but that’s unavoidable. Participation
requires a degree of understanding both about the goals to be achieved by
auditing, as well as the relevant legal and institutional frameworks for
these audits. So, admittedly, that’s not the easiest to jump into.
Could you indicate what you’re having trouble following? I don’t know that
we can do much about “too much information”, since that can be said about
literally anything unfamiliar, but perhaps if you would simply ask
questions, or highlight what you’d like to more about, it could be more
digestible?
What would you say your desired outcome from your email to be? Accepting,
for a second that this is a complex topic, and so discussion will
inherently be complex, and so a response such as “make it simpler for me”
is a bit unreasonable.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
