On Sat, Nov 7, 2020 at 4:52 AM Dimitris Zacharopoulos <ji...@it.auth.gr> wrote:
> > I will try to further explain my thoughts on this. As we all know, > according to Mozilla Policy "CAs MUST follow and be aware of discussions in > the mozilla.dev.security.policy > <https://www.mozilla.org/about/forums/#dev-security-policy> forum, where > Mozilla's root program is coordinated". I believe Mozilla Root store > managers' minimum expectations from CAs are to *read the messages and > understand the content of those messages*. Right now, we have [1], [2], > [3], [4], [5], [6], [7], [8], [9] policy-related threads opened up for > discussion since October 15th. > > If every post in these threads contained as much information and > complexity as your recent reply to Clemens, > This seems like a strawman argument, ht I don’t think it’s intentional. You’re arguing that “if things were like this hypothetical situation, that would be bad”. However, they aren’t like that situation, as the evidence you provided shows. This also goes back to the “what is your desired outcome from your previous mail”, and trying to work out what a clear call to action to address your concerns. Your previous message, especially in the context of your (hypothetical) concern, reads like you’re suggesting “Mozilla shouldn’t discuss policy changes with the community”. I think we’re all sensitive and aware of the desire not to have too many parallels discussions, which is exactly why Ben’s been only introducing a few points a week, to facilitate that and make progress without overwhelming. As it relates to this thread, or any other thread, it seems the first order evaluation for any CA is “Will the policy change”, followed by “What do I need to do to meet the policy?”, both of which are still very early in this discussion. You’re aware of the policy discussion, and you’re aware a decision has not been made yet: isn’t that all you need at this point? Unlike some of the other proposals, which require action by CAs, this is a proposal that largely requires action by auditors, because it touches on the audit framework and scheme. It seems like, in terms of expectations for CAs to participate, discussing this thread with your auditor is the reasonable step, and working with them to engage here. Hopefully that helps. Your “but what if” is easily answered as “but we’re not”, and the “this is a lot, what do I need to do” is simply “talk with your auditor and make sure they’re aware of discussions here”. That seems a very simple, digestible call to action? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
