Risk is a very tricky thing to assess. Firstly, risk cannot be assessed without proper attention to the value at risk, and the threats against that value.
See my response to David Ross for related comments.
A better way may be to reflect those risk assessments back to those that carry the losses - the users.
This could be done by opening up a forum for every new CA proposal. (Actually, it could be done for all old ones as well). Just like the current CACert bug that started this thread, each CA could have an ongoing forum for user comment.
I have actually been thinking about this, based on the principle of providing more transparency into mozilla.org processes and policies. I'd like to see others weigh in on this issue, whether pro or con. One way to do this would be through a combination of bugzilla and a forum for interested parties -- somewhat analogous to the "security group" we created to address reports of security vulnerabilites, except that in this case I see no reason not to make this a fully public process.
Most users would never look at the practices of a CPA, as a) they have not the time nor patience, or b) there is nowhere to place their comments and assessments even if they had the time. However, if there was a defined forum for comment, it could be hoped that sufficient close Mozilla users would do sufficient analysis on the major CAs such that the Mozilla Foundation could simply refer to the sentiment on the forums.
Thus, they would outsource the risk assessment. As policy, this would also remove the liability.
I agree that "outsourcing" risk assessment in this way, whether in part or in whole, is worth considering. However it's not clear to me that this would actually mitigate whatever liability issues might exist. (Of course, this could still be worth doing for other reasons.)
One other minor comment:
> We may elect to publish submitted information for use > by Mozilla users and others; please note any information > which you consider to be proprietary and not for public > release.
This opens up a bait and switch. Secret information may be provided to Mozilla that will be supressed and unavailable to the public. In the event of a dispute, this information may be relevent to the public party, but will be unknown to them. I'd recommend that all information provided be deemed public, non-proprietary, and publishable by Mozilla.
That's a good point; I will definitely consider revising this language along the lines you suggest.
Frank
-- Frank Hecker hecker.org _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
