Nelson B wrote:
Ian G wrote:
The reason for that language is that *if* it is important
to people then the language will be used against Mozilla
to advance some agenda or other.
If mozilla needs to change the policy in the future, it can do so.
This argues both for adding that at a later date,
and taking out things, at a later date. What it doesn't
address is whether any of these ideas are useful or not.
...The notion of tying people to some policy in
the future is one fraught with danger.
Then I guess we should have NO policy, eh?
Let every mozilla CA root czar do whatever he pleases, eh?
No, this is the reason that Frank has written it to
be loose in the areas that discretion is indicated,
and tighter in areas where we all seem to agree. I'm
not however expecting it to be perfect, I suspect in
a year, we'll all be thwoking our foreheads over some
mistake or other.
People better than us have been working on this
problem for more years than we can count.
This problem hasn't been around for more years than we can count.
The problem of how to get someone in the future to
follow laid down policy agreed by people in the past
has been around at least since the beginning of
organised democracy.
(I ruled out salaries earlier, which leaves democracy
and laws as a useful analogue.)
There are mozilla drivers who have sais they don't trust *ANY* CAs and
just want encryption. I guess they are omniscient and can always well
without any help whether they're being attacked or not. God help
mozilla if they get to excersize total discretion over the root CA list.
Not trusting CAs can be read two ways:
* there is no default reason to trust CAs,
* the CAs are distrusted.
Or a third view: all certs should be taken and trusted at face value.
The person to whom I'm referring (you know who) says he trusts no CAs,
Specifically, I don't know who. It would make things
a lot simpler if you just mentioned names, and I
don't see it as a grave accusation as you seem to be
intimating. It would be much more interesting if we
could simply ask the question why this person doesn't
trust any CAs ... and then we could move on to measuring
the policy against that person's reasons.
yet he is apparenly willing to use all certs because doing so gives him
encryption. He apparently thinks that encryption == security, and that
authentication is unnecessary. He probably has no concept of MITM.
Maybe he thinks that he can tell if he's being phished or not by
careful examination of the loaded page's contents.
Shall we let him excersize total discretion over the root CAs?
Well, all this sounds very confused, but I suspect
that's partly your own suspicion over these alternate
viewpoints.
Security is a very difficult area, and there is no
doubt that many are confused about it. I wouldn't
take it as a shocking accusation at all to find some
confused notions there, it's a matter of recorded
fact that the people who put together all of the
systems that we are discussing got some of the areas
completely wrong. This isn't meant to be an accusation,
it's simply a reflection of the complexity of the area,
they did the best they could at the time.
FYI, security is going through a bit of a revisionist
period at the moment, as researchers are working to
disentangle why apparently good systems didn't work
and why apparently bad systems did work. Some of the
notions that are being wound back include such things
like non-repudiation, signatures, identity, trusted
third parties, online certification. These are all
things that have been roundly criticised and where
protocols are themselves based on these concepts,
they also suffer flaws.
(One of the questions I am working on is "what is
security?" and to many people's surprise, perhaps,
there isn't a good answer. What this means is
that almost every system that went out there and
said it delivered security did so almost by
definition on false assumptions. Just by way of
example of how seemingly simple questions can blow
away years of work.)
The alternate is that we have to seek the
re-approval of the document every time the concerns change to
better reflect what threats we are facing today.
Precisely the point! I see that as a good thing!
But that means your concerns are the right concerns.
Our concerns. It means the concerns of the people who collectively
form the policy are the right ones, and no one individual should
have the power to ignore them at his sole discretion.
No matter what and how the policy ends up saying,
we are still talking about an open source, volunteer
organisation. The power to ignore is built in to
everything that Mozilla does; it's all about rough
consensus and forking if not able to agree.
Frank is trying to write the policy to recognise
that he has no control over who or what the people
do after he's moved on. He's not presenting them
with a fait accompli, simply because they'll ignore
it if its not to their desire.
You simply can't write down your concerns
and expect other people to understand them,
or to follow them.
You are arguing that there is no point in a written policy because
people will not follow it. In that case, Frank can stop now, I guess.
Nope, I'm saying that if it is written as an
expectation, then that ignores the whole ethos
Mozilla. It's a consensus, best efforts, best
judgement organisation, not the army. It would
be totally reasonable to expect someone to say
"today, I'm not following the policy, but I'm
doing this anyway."
I think we are pursuing a policy precisely because we can and DO
"expect other people to understand them [and] to follow them."
Help, promote, advise, hope, suggest ... would all
be better than "expect". Unless the guy in the hot
seat is on a salary, and is charged formally with
following the policy, I think expectation is simply
too strong.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
