Re: The current and future role of national CAs in the root program
Do you believe there is new information or insight you’re providing from the last time this was discussed and decided? For example: https://groups.google.com/forum/m/#!searchin/mozilla.dev.security.policy/Government$20CAs/mozilla.dev.security.policy/JP1gk7atwjg https://groups.google.com/forum/m/#!searchin/mozilla.dev.security.policy/Government$20CAs/mozilla.dev.security.policy/tr_PDVsZ6-k https://groups.google.com/forum/m/#!searchin/mozilla.dev.security.policy/Government$20CAs/mozilla.dev.security.policy/qpwFbcRfBmk I included the search query in the URL, so that you can examine for yourself what new insight or information is being provided. I may have missed some salient point in your message, but I didn’t see any new insight or information that warranted revisiting such discussion. In the spirit of https://www.mozilla.org/en-US/about/forums/etiquette/ , it may be best to let sleeping dogs lie here, rather than continuing this thread. However, if you feel there has been some significant new information that’s been overlooked, perhaps you can clearly and succinctly highlight that new information. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: The current and future role of national CAs in the root program
On 07/03/2019 23:02, Ryan Sleevi wrote: Do you believe there is new information or insight you’re providing from the last time this was discussed and decided? For example: https://groups.google.com/forum/m/#!searchin/mozilla.dev.security.policy/Government$20CAs/mozilla.dev.security.policy/JP1gk7atwjg https://groups.google.com/forum/m/#!searchin/mozilla.dev.security.policy/Government$20CAs/mozilla.dev.security.policy/tr_PDVsZ6-k https://groups.google.com/forum/m/#!searchin/mozilla.dev.security.policy/Government$20CAs/mozilla.dev.security.policy/qpwFbcRfBmk I included the search query in the URL, so that you can examine for yourself what new insight or information is being provided. I may have missed some salient point in your message, but I didn’t see any new insight or information that warranted revisiting such discussion. In the spirit of https://www.mozilla.org/en-US/about/forums/etiquette/ , it may be best to let sleeping dogs lie here, rather than continuing this thread. However, if you feel there has been some significant new information that’s been overlooked, perhaps you can clearly and succinctly highlight that new information. I was stating that the the very specific discussion that recently unfolded (and which I promised not to mention by name in this thread) has contained very many opinions on the topic. In fact, the majority of posts by others have circled on either the entropy issue or this very issue of what criteria and procedures should be used for trusting national CAs and if those criteria should be changed. Your own posts on Feb 28, 2019 13:54 UTC and Mar 4, 2019 16:31 UTC were among those posts, as were posts by hackurx, Alex Gaynor, nadim, Wayne Thayer, Kristian Fiskerstrand and Mathew Hardeman. I took care not to state what decisions should be made, merely to summarize the issues in a clear and seemingly non-controversial way, trying to be inclusive of the opinions stated by all sides. If there are additional points on the topic that I forgot or that may arise later in the specific discussion, they can and should be added such that there will be a useful basis for discussion of whatever should or should not be done long term, once the specific single case has been handled. I did not wake this sleeping dog, it was barking and yanking its chain all week. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: The current and future role of national CAs in the root program
On Thu, Mar 7, 2019 at 11:38 PM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 07/03/2019 23:02, Ryan Sleevi wrote: > > Do you believe there is new information or insight you’re providing from > > the last time this was discussed and decided? > > I took care not to state what decisions should be made, merely to > summarize the issues in a clear and seemingly non-controversial way, > trying to be inclusive of the opinions stated by all sides. These issues have already been decided. Neither the previous posting, nor this, adds any new information or value to the discussion. The answers have been provided by Module Owners and Peers previously, as to the questions that you believe need answered, as I just demonstrated. There is no need to pose or summarize them as somehow unanswered questions - a cursory examination, as demonstrated, reveals they have been discussed, debated, and decided. If you believe there is significantly new information that merits revisiting, the burden is on you to demonstrate that and contextualize it to see how it compares to the past conversation. However, at present, attempting to simply repeat questions that have already been answered, as if to prompt new debate, is not only unproductive - it's actively detrimental. This thread should end here. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: The current and future role of national CAs in the root program
On Thu, Mar 7, 2019 at 11:45 AM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Currently the Mozilla root program contains a large number of roots that > are apparently single-nation CA programs serving their local community > almost exclusively, including by providing certificates that they can > use to serve content with the rest of the world. > > For purposes of this, I define a national CA as a CA that has publicly > self-declared that it serves a single geographic community almost > exclusively, with that area generally corresponding to national borders > of a country or territory. > > 5. Should the root program policies provide rules that enforce the > self-declared scope restrictions on a CA[?] This has been discussed and the decision was no. This in turn moots your 6-9. 10. The root trust data provided in the Firefox user interface does not > clearly indicate the national or other affiliation of the trusted > roots, such that concerned users may make informed decisions > accordingly. Ditto for the root program dumps provided to other he st > users of the Mozilla root program data (inside and outside the Mozilla > product family). For example, few users outside Scandinavia would > know that "Sonera" is really a national CA for the countries in which > Telia-Sonera is the incumbent Telco (Finland, Sweden and Åland). > Mozilla has specifically chosen to not distinguish between "government CAs", "national CAs", "commercial CAs", "global CAs", etc. The same rules apply to every CA in the program. Therefore, the "national or other affiliation" is not something that is relevant to the end user. These have all been discussed before and do not appear to be relevant to any current conversation. Thanks, Peter ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: The current and future role of national CAs in the root program
On 08/03/2019 06:27, Peter Bowen wrote: ... Mozilla has specifically chosen to not distinguish between "government CAs", "national CAs", "commercial CAs", "global CAs", etc. The same rules apply to every CA in the program. Therefore, the "national or other affiliation" is not something that is relevant to the end user. These have all been discussed before and do not appear to be relevant to any current conversation. Many (not me) in the recent discussion of a certain CA have called for this to be changed one way or another. This is the only thing that is new. As I wrote earlier, there were a lot of general policy ideas and questions mixed into the discussion of that specific case, and my post was an attempt to summarize those questions and ideas raised by others. Maybe the ultimate result will be no change, maybe not. The discussion certainly has been raised by a lot of people. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: The current and future role of national CAs in the root program
On Fri, Mar 8, 2019 at 7:31 AM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Many (not me) in the recent discussion of a certain CA have called > for this to be changed one way or another. This is the only thing > that is new. > I do not believe this is an accurate or correct summary of others viewpoints that have been shared, and certainly not to the degree that it's reasonable to highlight "other" people as a basis for violating etiquette. Given the concerns raised, and as has been pointed out, the decisions made, unless you personally believe there is significant new information that would reasonably prompt reconsideration of the original decision, please do not attempt threads like this. As has been previously summarized, the present discussion is very similar to past discussions. The burden is to demonstrate what new information warrants reconsidering, and that burden rests with the person opening the thread. This is why it's best to let people speak for themselves and advocate their own positions. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
