On Saturday 28 May 2005 02:14, Tyler Close wrote: > On 5/27/05, Ian G <[EMAIL PROTECTED]> wrote: > > And, both petname and trustbar were roundly rejected > > by the Mozilla security community. Strike two. > > My understanding was that no one on this list has the authority to > introduce a new tool into the Firefox UI and the only person who has > that authority, Ben Goodger, doesn't read this list.
Authority is sort of the wrong way to look at it. MoPro is like many open source projects a volunteer and consensual project. However security tends to be best treated as the override to that, and it is one of the differentiators between things like Mozilla and the security projects like the crypto and BSD groups that the latter have clearly defined strategic security directors. Perhaps a better way to frame it is that there is no security leadership or direction. It's absent. Which leads (by a few hop, skips and jumps) to another future. One way to move forward is to create a branch and start shipping your own version. One oriented towards what your views are on user security. This is in fact what Ben Goodger did with Firefox, but his focus was on other things. To do that one would need a clear view ahead for many months of hard hacking I'd suspect; something I've never had. > Seems like more > of a dead end than a rejection. Not very encouraging either way, but > it's not "roundly rejected". At least, I thought not. I admit I had > hoped for more from this mailing list. Well, I hate to be the wet blanket. Whatever you want to term it, it was the same thing as happened to Trustbar, to Gerv's stuff, to the SSH bug fix suggestions that were filed, back in history to the Smith&Ye project. There is strong correlation here. In the most summary terms anything that can be thought of as changing the security model is rejected. As all these things change the model to fix the insecurities in the model - of course - they are all rejected on the basis that they change the model. So we are at an impasse, and that won't change until there is a disaster I suspect. I'm hoping that the disaster will be Microsoft showing the way with the Lonhorn update, as the alternate is someone publishing some real stats on how many MoPro users have been phished, which would be much much worse because that raises liability. iang -- Advances in Financial Cryptography: https://www.financialcryptography.com/mt/archives/000458.html _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security