On Wed, Jan 11, 2012 at 9:36 AM, Gervase Markham <g...@mozilla.org> wrote:
Mozilla needs a space in between "public" and "security group" (or "employees"). We've needed one for a long time; this is just another manifestation of the issue.
So how about representation of the users' interests within the "security group" or "employees" via an elected or appointed position? Right now, the security group (particularly the participants in the CABF from Mozilla) seems to be a place where the end users, particularly the well-informed and strongly-motivated end users, have no voice at all. It seems to be a place where shadowy decisions are made in back-room deals by shady, non-elected characters. Unfortunately, it also is the place where the end-users who want to do their own due diligence need to have someone they can trust, but are stonewalled and stymied every time they try to effect any kind of change. The "security group" and "employees" involved here are operating contrary to Mozilla's board-approved principles. Unless and until Mozilla shows that it has effective corporate governance and decision auditing, it's getting no more of my donor dollars. It's also getting my anti-Mozilla opinions slapped everywhere. (I live in Mountain View, 1.1 miles from the Castro Street headquarters. Guess where much of my oration is going to be?) The security group's service to the Mozilla principles is a joke, it's a farce, and Mozilla needs someone in that group who isn't going to just say "PKI me harder", who isn't so certain that his or her vision of PKI is the only correct interpretation that he/she/they completely shut out any and all attempts to change the PKI status quo with "RESOLVED INVALID", without any engagement in any kind of dialogue about why or how these attempts might actually have merit. In other words, the employees need to have their ivory tower demolished. Until that happens, no progress toward actual user security can be made. -Kyle H
_______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security