On Wednesday 11 May 2005 02:05, Ram A Moskovitz wrote:
Gerv, are you or MF required to sign an NDA of anykind to attend?
A good point! And one that shouldn't have needed to be asked, but given recent revelations about Mofo's private revenue arrangements (for good or for bad), I guess this is now on the table.
Some comments on this topic and the points raised in this thread:
First, note that time permitting I plan on attending the same meeting Gerv is going to. I have not signed any NDAs, nor have I been asked to sign any NDAs. This isn't specific to this meeting, incidentally; I'm not under any NDAs whatsoever with regard to any discussions I've had with anyone in the course of my CA-related MF activities. My general policy on private vs. public discussions is as follows:
I prefer to conduct discussions in full public view, but I am happy to have private discussions with anyone if that's their preference. In the course of doing the CA policy stuff, I have had private discussions (some via email, some via phone, and a couple in person) with lots of people, including a number of people participating in this discussion. (You know who you are :-)
When speaking to people in private, I generally say the same things I say in public, with perhaps a bit more candor. I don't say things in private that are at odds with my public statements; if you ever find me doing this please feel free to call me out on it.
If people want to discuss things with me in private then I assume that they have their own reasons for doing so, and I'm not going to blithely repeat their comments to others (whether in public or private), even in the absence of an NDA; that applies to this meeting just as to any other private discussions I have. However if people have made public statements on the same subjects, or there is other publicly available information pertaining to the discussions, then I consider it fair game to refer to those statements and information in my own public comments.
Also, I understand that peoples' views should not be necessarily be confused with those of their employers, plus I feel an obligation to maintain a general stance of neutrality with regard to the various CAs, given my position as passer of judgement upon them. Thus I generally don't like to comment on specific CAs by name, but prefer to make my comments general in nature.
Second, unless there's something going on that I'm unaware of (and I'd be very surprised if that were the case), then there's no money at stake here for the Mozilla Foundation. It's basically just a continuation of the discussions we've been having on this list: as the CA market changes, and as people get worried about phishing and similar things, how commercial CAs might offer differentiated products to their customers, and how browser vendors (including the Mozilla Foundation) might support them in that effort, e.g., through a revamped SSL UI, classifying CAs into different types, etc.
The incentive for browser vendors to work with CAs is not monetary, at least not for the Mozilla Foundation. Rather it's really how and whether these efforts might make a difference for typical end users.
Per my above comments, if I do end up going to this meeting with Gerv, don't expect to see me publishing a detailed report on any discussions. However if I have time in the next few weeks I will post any relevant thoughts I have in reference to the general issues discussed, based on public information available to me or anyone else.
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
