On 3/5/09 15:32, Ben Bucksch wrote:
On 03.05.2009 09:06, Ian G wrote:
(5) possibly as consequence of all the above, it can be claimed that
it is an empty threat, and no more than a security/marketing tool for
PKI people.
Consequently, we need to either:
* Make that threat not empty
This is harder done than said. In order to make a threat of removal
work, we would have to set it up so that we are fair, documented,
disciplined, open, and agreed. We might get around 1 of 5 points in
that list, currently. Let me rant on a bit...
1. Fairness cannot be done by the consensus model. We need a fair
method, not democracy, in the sense that it is a gathering of many
wolves and a few sheep, all voting who to eat for dinner.
2. Documented: we need procedures for this. Without a documented
procedure, all actions are arbitrary.
3. Disciplined. We all have to follow the spirit. Which is to say we
have to give and take. Accept some knocks. Mea culpa and all that.
4. Open: it needs to be discussed here in the open. We probably earn
half a point here. At a minimum, the ruling needs to be delivered,
which doesn't get us the other half point as yet.
5. Agreed. We need to agree to all the above. Here, we get about half
a point, because anyone who participates has entered into a spirit of an
agreement. We just disagree on what it is, and where it is, and whether
it binds us to something serious.
1 out of 5 points, before the threat becomes something worthwhile. This
isn't going to change much, so perhaps some pragmatism: accept that it
is an empty threat? The CAs already act as if it is an empty threat,
maybe the users should as well.
iang
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
