Re: Proposal to split this list

[Johnathan Nightingale]

This isn't a problem with our IT folks, they solve their part in record 
time, typically.  Google groups has been having troubles lately picking 
up both this and another group that was recently created.  We've 
contacted them about it, but we don't really want a bunch of people 
posting threads in a group that's not yet indexed by the dominant 
newsgroup search provider.


I imagine updates will be posted in the bug as they become available, 
though.


Cheers,

Johnathan

Kyle Hamilton wrote:

Can we please have someone at Mozilla light a fire under the sysadmin
staff to get this working?

-Kyle H

On Mon, Jan 26, 2009 at 8:20 PM, Gervase Markham  wrote:

Paul Hoffman wrote:

Having a separate policy list would help the technology folks focus
on what they do best. It would also help keep the policy people keep
their discussion out of bits-on-the-wire and up in the "what should
we be doing" layer.

OK, then.
https://bugzilla.mozilla.org/show_bug.cgi?id=475473
filed to create mozilla.dev.security.policy. And please let's not have a
bikeshed discussion about the name.

Gerv

--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto


--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Proposal to split this list

[Kyle Hamilton]

Can we please have someone at Mozilla light a fire under the sysadmin
staff to get this working?

-Kyle H

On Mon, Jan 26, 2009 at 8:20 PM, Gervase Markham  wrote:
> Paul Hoffman wrote:
>> Having a separate policy list would help the technology folks focus
>> on what they do best. It would also help keep the policy people keep
>> their discussion out of bits-on-the-wire and up in the "what should
>> we be doing" layer.
>
> OK, then.
> https://bugzilla.mozilla.org/show_bug.cgi?id=475473
> filed to create mozilla.dev.security.policy. And please let's not have a
> bikeshed discussion about the name.
>
> Gerv
>
> --
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Proposal to split this list

[Ian G]

On 9/2/09 20:15, Ben Bucksch wrote:

On 09.02.2009 17:45, Ian G wrote:

I've posted something ... hopefully non-contraversial ...: a
suggestion on the list charter.


That was a good one.



It didn't last more than 30 seconds :-)  Oh well, I suppose the list 
will be active some time.


iang
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Proposal to split this list

[Ben Bucksch]

On 09.02.2009 17:45, Ian G wrote:
I've posted something ... hopefully non-contraversial ...:  a 
suggestion on the list charter.


That was a good one.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Proposal to split this list

[Ian G]

On 5/2/09 18:34, Frank Hecker wrote:


https://lists.mozilla.org/listinfo/dev-security-policy

so perhaps it's working as well. (I don't read these forums via email,
perhaps you or someone else can try subscribing.)


Yes, email is working fine.  Dunno about the rest.


Given the problems we've had in getting this group up and running, I'd
prefer to wait a few more days before we start switching policy-related
discussions over to it.



Np.  I've posted something soft, hopefully non-contraversial and 
non-critical:  a suggestion on the list charter.




iang
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Proposal to split this list

[Ian G]

On 5/2/09 18:34, Frank Hecker wrote:

Ian G wrote:

OK, I'll wait. I don't have an NNTP reader, or don't know what one is.


We'll forgive you the confusion. It's like saying "HTTP reader" instead
of "browser" :-)


Oh, it's newsgroup reader, got it, thanks.



Is it something in Firefox or Thunderbird?


You can read Mozilla newsgroups in Thunderbird by creating a "newsgroup"
account, specifying news.mozilla.org as your server, and then
subscribing to the mozilla.* groups you want to read.



OK, I tried that and it blew up my Thunderbird.  I'm running the beta 
3.0b1, probably just too brave of me.  Another furfy is that I'm trying 
to set it to localhost:port to go out through tunnels.  For some strange 
reason, it got itself in a real mess, and started adding multiple 
accounts with different names every time I tried to set the port number 
in the account.


If I get another chance I'll try and do more investigation, but am busy 
now.  I never could handle these newfangled newsgroup forums :)



...


The corresponding dev-security-pol...@mozilla.org list doesn't yet show
up in the list of mailing lists at lists.mozilla.org, though it does
have its own page now:

https://lists.mozilla.org/listinfo/dev-security-policy

so perhaps it's working as well. (I don't read these forums via email,
perhaps you or someone else can try subscribing.)



Yes, tried that, am subscribed, I'll await someone else's post this time.


Given the problems we've had in getting this group up and running, I'd
prefer to wait a few more days before we start switching policy-related
discussions over to it.



OK, so we all know we should do that ... (and there is no automatic 
copying of everyone to the new list).



iang
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Proposal to split this list

[Frank Hecker]

Ian G wrote:
OK, I'll wait.  I don't have an NNTP reader, or don't know what one is. 


We'll forgive you the confusion. It's like saying "HTTP reader" instead 
of "browser" :-)



 Is it something in Firefox or Thunderbird?


You can read Mozilla newsgroups in Thunderbird by creating a "newsgroup" 
account, specifying news.mozilla.org as your server, and then 
subscribing to the mozilla.* groups you want to read.


As it happens, I tried just now to subscribe to the 
mozilla.dev.security.policy newsgroup, and lo and behold it is now 
present in the list and appears to be working.


The corresponding  dev-security-pol...@mozilla.org list doesn't yet show 
up in the list of mailing lists at lists.mozilla.org, though it does 
have its own page now:


https://lists.mozilla.org/listinfo/dev-security-policy

so perhaps it's working as well. (I don't read these forums via email, 
perhaps you or someone else can try subscribing.)


Finally, Google Groups does not appear to know about the new group yet:

http://groups.google.com/group/mozilla.dev.security.policy

so there's no easy way to post URLs for forum threads.

Given the problems we've had in getting this group up and running, I'd 
prefer to wait a few more days before we start switching policy-related 
discussions over to it.


Frank

--
Frank Hecker
hec...@mozillafoundation.org
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Proposal to split this list

[Ian G]

On 5/2/09 14:22, Eddy Nigg wrote:

On 02/05/2009 03:14 PM, Ian G:

Excellent, OK, so I went here:

https://lists.mozilla.org/listinfo/dev-security

and subscribed. I guess it is up to each person to do that.



Ian, this is the wrong list. The new list is called dev.security.policy,
not dev.security.



Ouch.  Blew that one!



It seems that the new list doesn't show up at listinfo. Perhaps try with
the NNTP reader.



OK, I'll wait.  I don't have an NNTP reader, or don't know what one is. 
 Is it something in Firefox or Thunderbird?


iang
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Proposal to split this list

[Eddy Nigg]

On 02/05/2009 03:14 PM, Ian G:

Excellent, OK, so I went here:

https://lists.mozilla.org/listinfo/dev-security

and subscribed. I guess it is up to each person to do that.



Ian, this is the wrong list. The new list is called dev.security.policy, 
not dev.security.


It seems that the new list doesn't show up at listinfo. Perhaps try with 
the NNTP reader.



--
Regards

Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog:   https://blog.startcom.org
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Proposal to split this list

[Ian G]

Excellent, OK, so I went here:

  https://lists.mozilla.org/listinfo/dev-security

and subscribed.  I guess it is up to each person to do that.

Now, the list charter!  As a starting point:

==
a. Discussion on security policy, governance, directions and 
architecture in common for Mozilla products, as managed by Mozilla 
Foundation and implemented by various groups in the Mozilla family.


b. Responsibility for the management and improvement of the Mozilla CA 
policy, including:


   i.   making changes to the policy
   ii.  managing the root list
   iii. dealing with problems

This list is led by the security module owner, as appointed by Mozilla 
Foundation.

==

Perhaps follow up to that should be only on the list itself.  Or perhaps 
not :)


iang

On 5/2/09 00:28, Eddy Nigg wrote:


Seems to work here. Cross-posting to m.d.s.policy.

But it seems messages are slow in appearing anyway, no matter which list...



--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Proposal to split this list

[Eddy Nigg]

On 02/04/2009 09:11 PM, Frank Hecker:

OK, thanks for the info. I guess we'll just wait for this to resolve
itself, then we can verify that the new group is operating properly (and
the mailing list also) and then make an announcement in m.d.t.crypto and
m.d.security.



Seems to work here. Cross-posting to m.d.s.policy.

But it seems messages are slow in appearing anyway, no matter which list...

--
Regards

Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog:   https://blog.startcom.org
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Proposal to split this list

[Frank Hecker]

Johnathan Nightingale wrote re bug 475473:
I think that bug isn't resolved yet because google groups has been 
acting up a bit lately.  Another recent newsgroup creation, 
(mozilla.dev.tree-management) was finally picked up about a week after 
creation, but messages still aren't appearing there.


OK, thanks for the info. I guess we'll just wait for this to resolve 
itself, then we can verify that the new group is operating properly (and 
the mailing list also) and then make an announcement in m.d.t.crypto and 
m.d.security.


Frank

--
Frank Hecker
hec...@mozillafoundation.org
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Proposal to split this list

[Johnathan Nightingale]

On 4-Feb-09, at 1:37 PM, Frank Hecker wrote:


Gervase Markham wrote:

Paul Hoffman wrote:

Having a separate policy list would help the technology folks focus
on what they do best. It would also help keep the policy people keep
their discussion out of bits-on-the-wire and up in the "what should
we be doing" layer.

OK, then.
https://bugzilla.mozilla.org/show_bug.cgi?id=475473
filed to create mozilla.dev.security.policy. And please let's not  
have a

bikeshed discussion about the name.


Gerv, thanks for handling this. For the record, I'm happy with  
moving policy discussions to a separate group. However bug 475473  
implies that the new group is up and running, while I can't find it  
either in Thunderbird (i.e., via NNTP) or on the Google Groups site.



I think that bug isn't resolved yet because google groups has been  
acting up a bit lately.  Another recent newsgroup creation,  
(mozilla.dev.tree-management) was finally picked up about a week after  
creation, but messages still aren't appearing there.


Cheers,

Johnathan

---
Johnathan Nightingale
Human Shield
john...@mozilla.com



--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Proposal to split this list

[Frank Hecker]

Gervase Markham wrote:

Paul Hoffman wrote:

Having a separate policy list would help the technology folks focus
on what they do best. It would also help keep the policy people keep
their discussion out of bits-on-the-wire and up in the "what should
we be doing" layer.


OK, then.
https://bugzilla.mozilla.org/show_bug.cgi?id=475473
filed to create mozilla.dev.security.policy. And please let's not have a
bikeshed discussion about the name.


Gerv, thanks for handling this. For the record, I'm happy with moving 
policy discussions to a separate group. However bug 475473 implies that 
the new group is up and running, while I can't find it either in 
Thunderbird (i.e., via NNTP) or on the Google Groups site.


Frank

--
Frank Hecker
hec...@mozillafoundation.org
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Proposal to split this list

[Ian G]

On 29/1/09 12:53, Ben Bucksch wrote:

On 27.01.2009 05:20, Gervase Markham wrote:

https://bugzilla.mozilla.org/show_bug.cgi?id=475473
filed to create mozilla.dev.security.policy



(Only caveat: phishing doesn't really belong in either group. It's
usually handled in security, although it's about communication.)

Crypto is generating a lot of discussion, but I personally think that
security should not be deluded by the many crypto discussions.



Common bug in security :)



So, I propose both a m.d.crypto.policy and a m.d.security.policy. CA
policy would be discussed in m.d.crypto.policy.



I would disagree.  CA policy has relatively little to do with crypto. 
The CA isn't crypto, it's a bit that was added into the wider security 
system to fix a shortfall in the protocol.


I would stick with the original suggestion of dev-security-policy.

One thing we should avoid is overstressing the value of taxonomies, as 
any tree structured system is always bound to muck complex areas up, 
especially areas that integrate a lot of different disciplines.


Instead, we should concentrate on what is written in the list charter 
text that is sent to the new subscribers.




iang
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Proposal to split this list

[Paul Hoffman]

At 12:53 PM +0100 1/29/09, Ben Bucksch wrote:
>On 27.01.2009 05:20, Gervase Markham wrote:
>>https://bugzilla.mozilla.org/show_bug.cgi?id=475473
>>filed to create mozilla.dev.security.policy. And please let's not have a
>>bikeshed discussion about the name.
>>  
>
>Sorry to do just that, but I think it's more than bikeshed:
>
>I do not think that CA policy discussion belongs in .security (or anything 
>near it). I think that crypto and security are two distinct things: crypto 
>protects communication, while security protects my systems. Crypto is about 
>SSL, S/MIME. Security is about bugs/holes and application update.

I vote "bikeshed".
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Proposal to split this list

[Johnathan Nightingale]

On 29-Jan-09, at 6:53 AM, Ben Bucksch wrote:


On 27.01.2009 05:20, Gervase Markham wrote:

https://bugzilla.mozilla.org/show_bug.cgi?id=475473
filed to create mozilla.dev.security.policy. And please let's not  
have a

bikeshed discussion about the name.



Sorry to do just that, but I think it's more than bikeshed:

I do not think that CA policy discussion belongs in .security (or  
anything near it). I think that crypto and security are two distinct  
things: crypto protects communication, while security protects my  
systems. Crypto is about SSL, S/MIME. Security is about bugs/holes  
and application update.


(Only caveat: phishing doesn't really belong in either group. It's  
usually handled in security, although it's about communication.)


Crypto is generating a lot of discussion, but I personally think  
that security should not be deluded by the many crypto discussions.


So, I propose both a m.d.crypto.policy and a m.d.security.policy. CA  
policy would be discussed in m.d.crypto.policy.


I understand the taxonomy you're describing, but I don't think our  
newsgroup names really need to reflect that subtlety. I suspect that  
new contributors interested in CA policy issues will not find  
security.policy to be an unintuitive locale, and given that the  
newsgroup doesn't exist yet, I'm not very worried that, for instance,  
the CA policy discussions will overwhelm other security policy  
discussions there.


I guess what I'm saying is that we shouldn't over-engineer this up  
front. security.policy can take the policy load off of m.d.t.c, which  
I think we all see the value in.  If, in time, it becomes such a  
flourishing community of policy discussion that we need to split it, I  
would consider that a first-class problem to have. In the meantime, my  
concern is that we not bifurcate a group that, until last week, we  
didn't have in the first place.


Cheers,

Johnathan

---
Johnathan Nightingale
Human Shield
john...@mozilla.com



--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Proposal to split this list

[Ben Bucksch]

On 27.01.2009 05:20, Gervase Markham wrote:

https://bugzilla.mozilla.org/show_bug.cgi?id=475473
filed to create mozilla.dev.security.policy. And please let's not have a
bikeshed discussion about the name.
   


Sorry to do just that, but I think it's more than bikeshed:

I do not think that CA policy discussion belongs in .security (or 
anything near it). I think that crypto and security are two distinct 
things: crypto protects communication, while security protects my 
systems. Crypto is about SSL, S/MIME. Security is about bugs/holes and 
application update.


(Only caveat: phishing doesn't really belong in either group. It's 
usually handled in security, although it's about communication.)


Crypto is generating a lot of discussion, but I personally think that 
security should not be deluded by the many crypto discussions.


So, I propose both a m.d.crypto.policy and a m.d.security.policy. CA 
policy would be discussed in m.d.crypto.policy.

--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Proposal to split this list

[Gervase Markham]

Paul Hoffman wrote:
> Having a separate policy list would help the technology folks focus
> on what they do best. It would also help keep the policy people keep
> their discussion out of bits-on-the-wire and up in the "what should
> we be doing" layer.

OK, then.
https://bugzilla.mozilla.org/show_bug.cgi?id=475473
filed to create mozilla.dev.security.policy. And please let's not have a
bikeshed discussion about the name.

Gerv

--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Proposal to split this list

[Ian G]

On 16/1/09 17:33, Paul Hoffman wrote:

At 6:05 AM + 1/16/09, Gervase Markham wrote:

Nelson B Bolyard wrote:

3. I wonder if the non-developer topics are already within the scope of
another extant low-traffic list, namely dev-security (a.k.a.
mozilla.dev.security), except that I think the new list does not belong
in the "dev" hierarchy.

In an ideal world, it wouldn't, but it does seem to me that the upside
of a somewhat more accurate list name has to balance against the
downside of creating Yet Another List.

If we were to create another one, it would be only to solve this
problem, which would mean we'd need a new hierarchy - e.g.
mozilla.policy. But security and crypto are really the only areas of
Mozilla policy which have anything like as much debate as this. So it
would be a fairly empty hierarchy.

So, I'm currently minded to just take steps to move all these
discussions to mozilla.dev.security. But I'm happy to hear objections.


I'm happy to hear that you're happy to hear. :-) Objection.

Security has two very distinct aspects, policy and technology, that have less 
overlap than is commonly thought. People mash them together because they are so 
happy to think that someone wants to hear their security concern that they'll 
just say what they think wherever they can. The very significant downside of 
this mixing is that security technology moves forward much slower than it 
should.

Security implementers rarely want to talk about policy after a month or two. 
People who are concerned with security policy can go on for years (well, 
decades for some of us).

Having a separate policy list would help the technology folks focus on what they do best. 
It would also help keep the policy people keep their discussion out of bits-on-the-wire 
and up in the "what should we be doing" layer.



I agree with Paul.  The separation of policy from technology is also a 
question of professionalism and responsibility.


iang
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Proposal to split this list

[Paul Hoffman]

At 6:05 AM + 1/16/09, Gervase Markham wrote:
>Nelson B Bolyard wrote:
>> 3. I wonder if the non-developer topics are already within the scope of
>> another extant low-traffic list, namely dev-security (a.k.a.
>> mozilla.dev.security), except that I think the new list does not belong
>> in the "dev" hierarchy.
>
>In an ideal world, it wouldn't, but it does seem to me that the upside
>of a somewhat more accurate list name has to balance against the
>downside of creating Yet Another List.
>
>If we were to create another one, it would be only to solve this
>problem, which would mean we'd need a new hierarchy - e.g.
>mozilla.policy. But security and crypto are really the only areas of
>Mozilla policy which have anything like as much debate as this. So it
>would be a fairly empty hierarchy.
>
>So, I'm currently minded to just take steps to move all these
>discussions to mozilla.dev.security. But I'm happy to hear objections.

I'm happy to hear that you're happy to hear. :-) Objection.

Security has two very distinct aspects, policy and technology, that have less 
overlap than is commonly thought. People mash them together because they are so 
happy to think that someone wants to hear their security concern that they'll 
just say what they think wherever they can. The very significant downside of 
this mixing is that security technology moves forward much slower than it 
should.

Security implementers rarely want to talk about policy after a month or two. 
People who are concerned with security policy can go on for years (well, 
decades for some of us).

Having a separate policy list would help the technology folks focus on what 
they do best. It would also help keep the policy people keep their discussion 
out of bits-on-the-wire and up in the "what should we be doing" layer.

--Paul Hoffman
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Proposal to split this list

[Gervase Markham]

Nelson B Bolyard wrote:
> 3. I wonder if the non-developer topics are already within the scope of
> another extant low-traffic list, namely dev-security (a.k.a.
> mozilla.dev.security), except that I think the new list does not belong
> in the "dev" hierarchy.

In an ideal world, it wouldn't, but it does seem to me that the upside
of a somewhat more accurate list name has to balance against the
downside of creating Yet Another List.

If we were to create another one, it would be only to solve this
problem, which would mean we'd need a new hierarchy - e.g.
mozilla.policy. But security and crypto are really the only areas of
Mozilla policy which have anything like as much debate as this. So it
would be a fairly empty hierarchy.

So, I'm currently minded to just take steps to move all these
discussions to mozilla.dev.security. But I'm happy to hear objections.

Gerv
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Proposal to split this list

[Gervase Markham]

Eddy Nigg wrote:
> On 01/05/2009 01:36 AM, Nelson B Bolyard:
>> 3. I wonder if the non-developer topics are already within the scope of
>> another extant low-traffic list, namely dev-security (a.k.a.
>> mozilla.dev.security), except that I think the new list does not belong
>> in the "dev" hierarchy.
> 
> A dev.security...yes, the forgotten step child of crypto. At times
> we used to post there (and cross post to crypto) and don't know why
> crypto became the de-facto list for all CA/SSL/Policy related issues.

Possibly because it's where announcements have historically been made
about the discussion period for included CAs.

Such discussions are both political and technical, and so range across
the two lists.

> BTW, I unsubscribed from all Mozilla mailing lists and use now the
> fabulous NNTP support of Thunderbird. Lightweight, fast and without the
> headache of passwords and subscription preferences. Nelson you can
> deduct one of the "unsubscribes" which was me moving to the news reader.
> I wish there were more mailing lists with NNTP support, I can only
> recommend it.

This sort of thing is why we tried very hard, and continue to try to
make sure that all Mozilla communication channels are available via
HTTP, NNTP and SMTP :-) Different people have very different
preferences. I'm an NNTP person myself.

Gerv

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Proposal to split this list

[Gervase Markham]

Paul Hoffman wrote:
> I propose that Mozilla form a new mailing list,
> dev-policy-trustanchors. The topics for that list would include:
> 
> - All new trust anchors being added to the Mozilla trust anchor pile 
> - Proposals for changes to the Mozilla trust anchor policy -
> Complaints about particular participants in the current trust anchor
> pile - Discussion of the UI aspects of the PKI in various Mozilla
> software

Ignoring the exact choice of name for a moment, we are looking into
setting up a list for security policy topics. Watch this space.

Gerv
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Proposal to split this list

[Julien R Pierre - Sun Microsystems]

Paul,

Paul Hoffman wrote:

At 1:35 PM -0800 1/5/09, Wan-Teh Chang wrote:

On Sun, Jan 4, 2009 at 12:32 PM, Paul Hoffman  wrote:

I propose that Mozilla form a new mailing list, dev-policy-trustanchors. The 
topics for that list would include:

- All new trust anchors being added to the Mozilla trust anchor pile
- Proposals for changes to the Mozilla trust anchor policy
- Complaints about particular participants in the current trust anchor pile
- Discussion of the UI aspects of the PKI in various Mozilla software

The first three topics are appropriate for the proposed new mailing list.
(I would use "root CAs" instead of "trust anchors" in the mailing list's
name because "trust anchors" sounds a little too technical.)


I beg to differ here. There has been a lot of discussion of allowing people to 
add self-signed certs that are not CAs to their list of trusted CAs. Those 
would be roots, but they would not be CAs. They are, in fact, trust anchors.


The PKI UI in mozilla clients is not just about selecting trust anchors 
and using self signed cert. It has many other functions - backing 
up/restoring your own certs and keys, etc.


And it's a bit difficult to separate all the the cert management from 
PKCS#11 token issues since certs live in tokens by definitions.


So, I think the UI issues should remain together in this list with NSS 
issues.

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Proposal to split this list

[Julien R Pierre - Sun Microsystems]

Paul Hoffman wrote:

At 12:11 AM +0100 1/4/09, Jan Schejbal wrote:

Why is this relevant to this mailing list?

Because there was a security failure in one of the Firefox trusted CAs allowing 
anyone to get fake certificates. This event and the reaction of the CA are 
important to determine if the CA is (still) trustworthy. It's the same as the 
Commodo thing. Just with a way better reaction and without the dodgy background 
of dozens of resellers doing (or, in at least one case, not doing) the Domain 
Verification.


Sorry, but I don't see that listed as a topic for discussion on the mailing list's 
information page .

I propose that Mozilla form a new mailing list, dev-policy-trustanchors. The 
topics for that list would include:

- All new trust anchors being added to the Mozilla trust anchor pile
- Proposals for changes to the Mozilla trust anchor policy
- Complaints about particular participants in the current trust anchor pile
- Discussion of the UI aspects of the PKI in various Mozilla software


I would be in favor of having a separate group/list to discuss the first 
3 above issues.


Regarding UI, it's a bit less clear where the discussion of that 
belongs. I think given that developer questions are usually lower 
traffic, maybe it's OK to have the UI and developer questions remain 
together in one single list.

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Proposal to split this list

[Daniel Veditz]

Paul Hoffman wrote:
> You are missing the parts where there are actual technical questions
> or assertions in the middle of threads that started as trust anchor
> rants.

Requesting actual details in the middle of a long ranty thread is a good
way to get missed no matter what newsgroup or topic.
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Proposal to split this list (was: Re: Full Disclosure!)

[Paul Hoffman]

At 1:35 PM -0800 1/5/09, Wan-Teh Chang wrote:
>On Sun, Jan 4, 2009 at 12:32 PM, Paul Hoffman  wrote:
>>
>> I propose that Mozilla form a new mailing list, dev-policy-trustanchors. The 
>> topics for that list would include:
>>
>> - All new trust anchors being added to the Mozilla trust anchor pile
>> - Proposals for changes to the Mozilla trust anchor policy
>> - Complaints about particular participants in the current trust anchor pile
>> - Discussion of the UI aspects of the PKI in various Mozilla software
>
>The first three topics are appropriate for the proposed new mailing list.
>(I would use "root CAs" instead of "trust anchors" in the mailing list's
>name because "trust anchors" sounds a little too technical.)

I beg to differ here. There has been a lot of discussion of allowing people to 
add self-signed certs that are not CAs to their list of trusted CAs. Those 
would be roots, but they would not be CAs. They are, in fact, trust anchors.

>The fourth topic is not related to trust anchor policy. 

Somewhat true, but they are a direct outgrowth of it. Note that I said "the UI 
aspects of the PKI", not "the UI aspects of security".

>So I'd propose
>that it stay in this mailing list even though it is not strictly speaking
>related to crypto either.

It is far less related to crypto than it is to trust anchor policy.

>I'm reading this mailing list using a mail program that supports
>threaded discussions, so all the discussions about root CAs
>don't prevent me from answering the real crypto questions.  I
>don't need the proposed new mailing list, but I don't object
>to it either.

You are missing the parts where there are actual technical questions or 
assertions in the middle of threads that started as trust anchor rants.
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Proposal to split this list (was: Re: Full Disclosure!)

[Wan-Teh Chang]

On Sun, Jan 4, 2009 at 12:32 PM, Paul Hoffman  wrote:
>
> I propose that Mozilla form a new mailing list, dev-policy-trustanchors. The 
> topics for that list would include:
>
> - All new trust anchors being added to the Mozilla trust anchor pile
> - Proposals for changes to the Mozilla trust anchor policy
> - Complaints about particular participants in the current trust anchor pile
> - Discussion of the UI aspects of the PKI in various Mozilla software

The first three topics are appropriate for the proposed new mailing list.
(I would use "root CAs" instead of "trust anchors" in the mailing list's
name because "trust anchors" sounds a little too technical.)

The fourth topic is not related to trust anchor policy.  So I'd propose
that it stay in this mailing list even though it is not strictly speaking
related to crypto either.

I'm reading this mailing list using a mail program that supports
threaded discussions, so all the discussions about root CAs
don't prevent me from answering the real crypto questions.  I
don't need the proposed new mailing list, but I don't object
to it either.

Wan-Teh
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Proposal to split this list

[Ben Bucksch]

On 05.01.2009 01:35, Nelson B Bolyard wrote:

There's no mozilla.policy hierarchy.


It can be created.
There's already a mozilla.governance, which would fit there, too.
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Proposal to split this list

[Ben Bucksch]

On 05.01.2009 01:00, Eddy Nigg wrote:
A dev.security...yes, the forgotten step child of crypto. At times 
we used to post there (and cross post to crypto) and don't know why 
crypto became the de-facto list for all CA/SSL/Policy related issues.


Because crypto (including CA) is just a small and very special part of 
security.
For me, security is mostly about preventing others to take over my 
computer. Apart from the updater depending on SSL, this has nothing to 
do with crypto, but all with buffer overflows, JS sandbox/caps etc..
In other words, crypto is about secure transfer. Security is about 
firewalling/protecting my own premises.



FWIW, I read both via NNTP.
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Proposal to split this list

[Kyle Hamilton]

On Sun, Jan 4, 2009 at 4:45 PM, Paul Hoffman  wrote:
>>Ian G wrote, On 2009-01-04 16:01:
>>There's no mozilla.policy hierarchy.  So I'm searching for ideas for a
>>good hierarchy for these discussions.  Here are some ideas.  How about:
>>
>>mozilla.security.CA
>>mozilla.security.UI
>>mozilla.security.pki
>
> +1 to .CA or .PKI, -1 to .UI. There is more to the security UI than PKIX, and 
> there is much more to trust anchors than UI.

Paul, I believe you're correct, but I also believe that Ian was
suggesting an AND, not an OR.

.CA (I'd actually suggest 'trustanchors') for trust anchor
inclusion/exclusion discussion. +1 under either name.
.UI for user interface issues (and ho boy there are many of them).  +1 to this.

Interestingly, I can't really see much reason for a .pki (except
possibly as an adjunct to .UI, since any changes to the PKI should
only be brought about due to usability requirements, and since .pki
would be more of a technical discussion of the changes that need to be
made... eventually [hopefully] leading to spec documents that code can
be written to adhere to).  +0, but I'm willing to listen to arguments
for and against.

-Kyle H
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Proposal to split this list

[Paul Hoffman]

>Ian G wrote, On 2009-01-04 16:01:
>> On 4/1/09 21:32, Paul Hoffman wrote:
>>
>>> I propose that Mozilla form a new mailing list,
>>> dev-policy-trustanchors. The topics for that list would include:
>>>
>>> - All new trust anchors being added to the Mozilla trust anchor pile
>>> - Proposals for changes to the Mozilla trust anchor policy
>>> - Complaints about particular participants in the current trust anchor pile
>>> - Discussion of the UI aspects of the PKI in various Mozilla software
>>
>> I agree in principle.  I would suggest "policy-ca" or "ca-policy" being
>> anything in or around the CA policy, as that is the name of the thing.
>>
>> Comments:
>>
>>1. I don't think the discussions here are anything to do with dev.
>>2. trustanchors seems a too precise term, and I would prefer to see
>> it dropped (for liability reasons).
>>3. I would love to see real discussion of the UI aspects.  I have no
>> idea how to talk to those people, they should be here.
>>4. This topic is also about legal relationships.  Calling it "policy"
>> tends to sweep the liabilities under the carpet.
>
>There's no mozilla.policy hierarchy.  So I'm searching for ideas for a
>good hierarchy for these discussions.  Here are some ideas.  How about:
>
>mozilla.security.CA
>mozilla.security.UI
>mozilla.security.pki

+1 to .CA or .PKI, -1 to .UI. There is more to the security UI than PKIX, and 
there is much more to trust anchors than UI.
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Proposal to split this list

[Nelson B Bolyard]

Ian G wrote, On 2009-01-04 16:01:
> On 4/1/09 21:32, Paul Hoffman wrote:
> 
>> I propose that Mozilla form a new mailing list,
>> dev-policy-trustanchors. The topics for that list would include:
>>
>> - All new trust anchors being added to the Mozilla trust anchor pile
>> - Proposals for changes to the Mozilla trust anchor policy
>> - Complaints about particular participants in the current trust anchor pile
>> - Discussion of the UI aspects of the PKI in various Mozilla software
> 
> I agree in principle.  I would suggest "policy-ca" or "ca-policy" being 
> anything in or around the CA policy, as that is the name of the thing.
> 
> Comments:
> 
>1. I don't think the discussions here are anything to do with dev.
>2. trustanchors seems a too precise term, and I would prefer to see 
> it dropped (for liability reasons).
>3. I would love to see real discussion of the UI aspects.  I have no 
> idea how to talk to those people, they should be here.
>4. This topic is also about legal relationships.  Calling it "policy" 
> tends to sweep the liabilities under the carpet.

There's no mozilla.policy hierarchy.  So I'm searching for ideas for a
good hierarchy for these discussions.  Here are some ideas.  How about:

mozilla.security.CA
mozilla.security.UI
mozilla.security.pki

others?
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Proposal to split this list

[Eddy Nigg]

On 01/05/2009 01:36 AM, Nelson B Bolyard:

3. I wonder if the non-developer topics are already within the scope of
another extant low-traffic list, namely dev-security (a.k.a.
mozilla.dev.security), except that I think the new list does not belong
in the "dev" hierarchy.


A dev.security...yes, the forgotten step child of crypto. At times 
we used to post there (and cross post to crypto) and don't know why 
crypto became the de-facto list for all CA/SSL/Policy related issues.


BTW, I unsubscribed from all Mozilla mailing lists and use now the 
fabulous NNTP support of Thunderbird. Lightweight, fast and without the 
headache of passwords and subscription preferences. Nelson you can 
deduct one of the "unsubscribes" which was me moving to the news reader. 
I wish there were more mailing lists with NNTP support, I can only 
recommend it.


--
Regards

Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog:   https://blog.startcom.org
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Proposal to split this list

[Ian G]

On 4/1/09 21:32, Paul Hoffman wrote:


I propose that Mozilla form a new mailing list, dev-policy-trustanchors. The 
topics for that list would include:

- All new trust anchors being added to the Mozilla trust anchor pile
- Proposals for changes to the Mozilla trust anchor policy
- Complaints about particular participants in the current trust anchor pile
- Discussion of the UI aspects of the PKI in various Mozilla software



I agree in principle.  I would suggest "policy-ca" or "ca-policy" being 
anything in or around the CA policy, as that is the name of the thing.


Comments:

  1. I don't think the discussions here are anything to do with dev.
  2. trustanchors seems a too precise term, and I would prefer to see 
it dropped (for liability reasons).
  3. I would love to see real discussion of the UI aspects.  I have no 
idea how to talk to those people, they should be here.
  4. This topic is also about legal relationships.  Calling it "policy" 
tends to sweep the liabilities under the carpet.




Topics that would still be germane for dev-tech-crypto would include

- Questions on how to add or remove trust anchors from various Mozilla software 
(without any discussion of why someone wants to do it)
- Discussion of how to implement alternate UI schemes for PKI (that is, what 
hooks are available in NSS for detecting positive and negative results)



Agreed.  It would be nice if we could do that.


All of Eddy's recent threads (being slimed by a Comodo reseller, finding a 
reseller that doesn't do domain validation, advertising that he had a domain 
validation bug but fixed it) would all be appropriate on the new list.

The current list is way too unfocused. People asking actual tech questions get 
drowned out by threads that have literally nothing to do with crypto but 
everything to do with policy.

Thoughts?



Absolutely, +1.

iang
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Proposal to split this list

[Nelson B Bolyard]

Paul Hoffman wrote, On 2009-01-04 12:32:
> I propose that Mozilla form a new mailing list, dev-policy-trustanchors.

> The current list is way too unfocused. People asking actual tech
> questions get drowned out by threads that have literally nothing to do
> with crypto but everything to do with policy.
> 
> Thoughts?

Did you mean to start a new thread?  Doing so requires more than merely
changing the subject.  You must post a message that is not a reply to do so.

1. In my view, there are 3 broad categories of discussion that go on in
this list.  They are (in no particular order):

a) technical discussion about NSS, JSS and PSM code and protocols
   (primarily of interest to developers, IMO)
b) root CA certs and related policy
c) UI/GUI ("ooey gooey" :) for crypto and certs in Mozilla products.

One of those clearly belongs in Mozilla's "developer technology"
hierarchy.  It's less clear that the other two belong there.

2. As moderator of the dev-tech-crypto mailing list, I receive an email
each and every time someone subscribes or unsubscribes.  Every month the
list receives a certain number of subscriptions and unsubscriptions,
with the result that the list has steadily grown at a rate of 1-3 a month
for a long time.  When the volume of non-developer discussions greatly
increased (approximately in September or October), we saw an increase in
the number of monthly unsubscriptions.  It reached (and briefly surpassed)
the rate of subscriptions.  But the number of subscriptions rose again in
November, and since December 21, it has suddenly jumped up.

I think those observations suggest that the discussion of non-developer
topics such as root certs and browser UI has increased the level of
participation (even if mostly passive) in the subject of cryptographic
security in Mozilla products, which is good, but that has come at a cost
to the level of participation by those who were primarily interested in
developer topics.

I think both groups (developers and non-developers) might be better
served by separating the discussions into separate lists.  But developers
may be very interested in both classes of topics and may not wish to
subscribe to yet another list to follow both.

3. I wonder if the non-developer topics are already within the scope of
another extant low-traffic list, namely dev-security (a.k.a.
mozilla.dev.security), except that I think the new list does not belong
in the "dev" hierarchy.
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Proposal to split this list

[Justin Dolske]

On 1/4/09 12:32 PM, Paul Hoffman wrote:


I propose that Mozilla form a new mailing list, dev-policy-trustanchors.


Yes. I'd also very much like to see this split. I'm interested in the 
technical side of things, but not so much the policy stuff (and, 
frankly, the incessant bickering and advocacy that goes along with it).


Maybe policy-crypto, instead of policy-trustanchors? That might be a bit 
more discoverable, makes the connection to dev-crypto clearer, and is a 
more general policy-vs-tech split. Usenet-wise, I'd think it should 
probably be mozilla.policy.crypto (or mozilla.policy.trustanchors), 
instead of in the .dev hierarchy.


Justin
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Proposal to split this list

[Eddy Nigg]

On 01/04/2009 10:32 PM, Paul Hoffman:

The current list is way too unfocused. People asking actual tech questions get 
drowned out by threads that have literally nothing to do with crypto but 
everything to do with policy.

Thoughts?



+1 from me.


--
Regards

Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog:   https://blog.startcom.org
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Proposal to split this list (was: Re: Full Disclosure!)

[Paul Hoffman]

At 12:11 AM +0100 1/4/09, Jan Schejbal wrote:
>>Why is this relevant to this mailing list?
>
>Because there was a security failure in one of the Firefox trusted CAs 
>allowing anyone to get fake certificates. This event and the reaction of the 
>CA are important to determine if the CA is (still) trustworthy. It's the same 
>as the Commodo thing. Just with a way better reaction and without the dodgy 
>background of dozens of resellers doing (or, in at least one case, not doing) 
>the Domain Verification.

Sorry, but I don't see that listed as a topic for discussion on the mailing 
list's information page .

I propose that Mozilla form a new mailing list, dev-policy-trustanchors. The 
topics for that list would include:

- All new trust anchors being added to the Mozilla trust anchor pile
- Proposals for changes to the Mozilla trust anchor policy
- Complaints about particular participants in the current trust anchor pile
- Discussion of the UI aspects of the PKI in various Mozilla software

Topics that would still be germane for dev-tech-crypto would include

- Questions on how to add or remove trust anchors from various Mozilla software 
(without any discussion of why someone wants to do it)
- Discussion of how to implement alternate UI schemes for PKI (that is, what 
hooks are available in NSS for detecting positive and negative results)

All of Eddy's recent threads (being slimed by a Comodo reseller, finding a 
reseller that doesn't do domain validation, advertising that he had a domain 
validation bug but fixed it) would all be appropriate on the new list.

The current list is way too unfocused. People asking actual tech questions get 
drowned out by threads that have literally nothing to do with crypto but 
everything to do with policy.

Thoughts?

--Paul Hoffman
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto