Re: COVID-19 and CA Operational Status
On Mon, Mar 23, 2020 at 6:18 PM Burton wrote: > Hi Ryan, > > I’m in the believe that CAs are a public service and as such they should > provide public information regarding their operational status. The > questions outlined below were open ended to provide CAs flexibility in the > way they approach answering the questions. > While I appreciate that explanation, I disagree that there's much more value to be had versus asking CAs what their favorite color was or how they were feeling today. These questions are vague, and your further comments (quoted) only emphasize the "damned if they do, damned if they don't" approach you're proposing, which I think is quite unhealthy. I believe that the questions are of value to the community only if CAs > cooperate by providing answers that are useful, brief and to the point > instead of non useful throwaway answers. > > To end, I do hope that most if not all CAs answer these simple questions > As a party deeply invested and interested in the trustworthiness of CAs, I cannot help but again stress that these are anything but simple. > as it doesn’t look good if they don’t because CAs are about trust and > trust is fulfilled by being open as they can be regarding their operations. > Without said openness there is no trust. > I think it's worth asking whether that same justification applies to asking CAs what their favorite color was, or how much each person makes, or what they had for breakfast. You might think that's not fair, because operational status is, yanno, operational, but the lack of definition here is so profound that it makes the questions meaningless. I also worry that rather than improve participation here by CAs, it serves as a barrier and a justification for why they shouldn't, if "just anyone" can submit questions that they have to answer, are judged if they don't, and judged if they do. The policy doesn't require that degree of participation, as it says (emphasis added): CAs MUST follow and be aware of discussions in the mozilla.dev.security.policy forum, where Mozilla's root program is coordinated. They are encouraged, *but not required,* to contribute to those discussions. I think the process of formal CA Communications is designed to try to ask questions that are crisp, clear, and actionable - which is why these communications undergo public review for feedback before they're sent, to try to make sure they're asking the right questions. It also helps clarify what's required, and what isn't. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: COVID-19 and CA Operational Status
All, If Mozilla decides to ask each CA in our program these types of questions, we will do so via a CA Communication (https://wiki.mozilla.org/CA/Communications). I appreciate Burton's curiosity, but your participation in this particular discussion thread is optional, and will not be considered to be your CA's response to an official Mozilla CA Communication and survey. Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: COVID-19 and CA Operational Status
Hi Ryan, I’m in the believe that CAs are a public service and as such they should provide public information regarding their operational status. The questions outlined below were open ended to provide CAs flexibility in the way they approach answering the questions. I believe that the questions are of value to the community only if CAs cooperate by providing answers that are useful, brief and to the point instead of non useful throwaway answers. To end, I do hope that most if not all CAs answer these simple questions as it doesn’t look good if they don’t because CAs are about trust and trust is fulfilled by being open as they can be regarding their operations. Without said openness there is no trust. Thank you Burton I didn’t want CAs to disclose confidential informatio publicly I wanted to know On Mon, 23 Mar 2020 at 21:42, Ryan Sleevi wrote: > > > On Mon, Mar 23, 2020 at 3:13 PM Burton via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> CAs, >> >> Please can you give a brief statement regarding these questions below: >> >> a) What’s your operational status at this time? >> >> b) Do you expect in the next six months to maintain an adequate >> operational >> status? >> >> c) If the worst case scenario does happen, what have you planned to >> maintain operationally? >> > > I think it's unlikely to get responses from many CAs. There is purely risk > here, with an unclear goal. I appreciate the clarity, but I also don't > think m.d.s.p. is necessarily a good venue for CA communications. For > example, if you'd like to submit this to Kathleen as a suggestion for a CA > communication, that might be a more productive endeavor. > > It also means that open ended questions like this may not get consistent > answers across CAs. For example, CA Foo might say their operational status > is "Case Nightmare Green" while CA Bar might say that their operational > status is "Major Tom" and CA Baz says "The eagle has left the nest". Those > are answers, but are they helpful? Similarly, "adequate" operational status > and "worst case" are equally ill-defined. > > In short, while I appreciate the curiosity, I don't think anything of > value can be gained from this thread, at least holistically. And it just > seems inherently risky for CAs to respond without that shared context. > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: COVID-19 and CA Operational Status
On Mon, Mar 23, 2020 at 3:13 PM Burton via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > CAs, > > Please can you give a brief statement regarding these questions below: > > a) What’s your operational status at this time? > > b) Do you expect in the next six months to maintain an adequate operational > status? > > c) If the worst case scenario does happen, what have you planned to > maintain operationally? > I think it's unlikely to get responses from many CAs. There is purely risk here, with an unclear goal. I appreciate the clarity, but I also don't think m.d.s.p. is necessarily a good venue for CA communications. For example, if you'd like to submit this to Kathleen as a suggestion for a CA communication, that might be a more productive endeavor. It also means that open ended questions like this may not get consistent answers across CAs. For example, CA Foo might say their operational status is "Case Nightmare Green" while CA Bar might say that their operational status is "Major Tom" and CA Baz says "The eagle has left the nest". Those are answers, but are they helpful? Similarly, "adequate" operational status and "worst case" are equally ill-defined. In short, while I appreciate the curiosity, I don't think anything of value can be gained from this thread, at least holistically. And it just seems inherently risky for CAs to respond without that shared context. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
COVID-19 and CA Operational Status
CAs, Please can you give a brief statement regarding these questions below: a) What’s your operational status at this time? b) Do you expect in the next six months to maintain an adequate operational status? c) If the worst case scenario does happen, what have you planned to maintain operationally? Thank you, Burton ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy