Duane wrote:
Peter Gutmann wrote:
You may as well name 'em since it's fairly well known, it's Verisign (yes, the
Actually another one, so that makes 2 of them (at least)...
Duane,
Either you are working for some company and you have
a conflict of interest that stops you doing security
work. Or you are working to put security out to
users.
If you have a conflict of interest, it's best if you
declare this. If there is something stopping you
from dealing directly in the security of users for
Mozilla, then let's hear it. That's ok. It's still
possible to do great work with conflicts of interest
as long as everyone knows what not to ask you to do.
Maybe your conflict of interest is that you work with
CACert and it is not good to antagonise the other CAs?
If so, state that.
Otherwise, who is it? Name them. Shame them. Don't
worry, they'll ignore you. But those here who are trying
to craft security directions for Mozilla will not, and
we can only do that if we have the facts. If they are
holding up the mozilla users from receiving better
security then we need to know.
Security does not compromise on facts. It can be poisoned
from within as from without, and poisoning from within
starts with keeping information confidential. Once there
is a lid on information, security stalls. It gells, it
stagnates.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security
