Re: Quorum requirements for approval of CAs?
On 11/2/09 02:19, Kyle Hamilton wrote: That's a very good question. The most important part of the answer to it would have to be: don't discount what they say. Right. However, I have a suggested strategy for reviewers: don't limit your review to only those trust bits that are initially requested. This way, if there is an amendment to the bug which requests additional bits to be set, then we don't have to waste our time doing an entire new review of the CP/CPS/public information to figure out if those new trust bits are also appropriate. You could also ask CAs to signal in advance in the docs of any changes coming up in the next year (especially before the next audit cycle) ? I'm asking this because I think a template which includes a statement of requirements would be an exceedingly good thing for people undertaking reviews for Mozilla CA program inclusion -- and would open up the process to people who have less interior working knowledge of a CA. This would also allow people who are otherwise untrained, but who want to take an interest in their security, to understand what the reviews entail and what Mozilla's priorities are. (for example: Please identify the section of the public documentation which addresses each point below: SERVER: Performs domain control verification How does the CA perform this? (if not performed, answer "N/A"; if not described, answer "Unspecified") ... Right, this is to set up a criteria for review purposes. Note that (for various motives & historical reasons) we have now in place two reviews. One is done according to pt 8 of the policy, and is done by a person according to pt 9. This one is commonly called "the audit." The other is done according to the Mozilla (evolving) checklist, and is done by Mozilla with help from outsiders. I do not see that this is wrong, on the face of it. But it is good to be aware of these things, because it raises complications, such as what the line between the two is, and whether one reviewer should cover the work of the other as well, etc. iang -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Quorum requirements for approval of CAs?
On 11/2/09 01:59, Eddy Nigg wrote: It's perhaps an opportunity for me to explain why I'm here and why I think others - specially representatives and employees of CAs - should too. OK, invitation accepted! I'm here to get a couple of fixes spliced into the Mozilla DNA: 1. add a feedback loop to the business. (start by documenting what's there now.) 2. set Mozilla's liability to endusers to zero. (therefore the liability rests with the enduser.) Although simple to write, easy to do, and relatively easy to explain, any changes seem controversial and scary [1]. There is an open question in my mind as to whether Mozilla can make changes. Lack of response on these might suggest that the team hasn't the space to sit back and think about the wider issues. They are too busy doing the CA reviews [2]. So they need more people. Which brings us full circle to Frank's observation that we would be better off to use open governance techniques like open review of CAs, not employ more people [3]. To which my counter-response would be: people doing open governance are doing it for a reason; they want a trade. In my case, it is some sense that Mozilla is moving forward and making changes and improvements to the system. If there is no possibility of improving the system there is no need to be here. That's my view. It could of course change tomorrow. iang [1] how they relate to CAcert is much longer and mostly irrelevant to the discussion, but if anyone is interested, ask away, I already wrote the long email on this and discarded it for length. Or read the super-long description on http://iang.org/papers/open_audit_lisa.html [2] Another response might be that these should really be discussed with the legal guy, who isn't here, or the board, which has fiduciary responsibility. Yet a third response might be, actually, no, we don't want to do that, we want to simplify out approach not complicate it. [3] I would normally champion such a thing! -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Quorum requirements for approval of CAs?
Kyle Hamilton wrote: I'm asking this because I think a template which includes a statement of requirements would be an exceedingly good thing for people undertaking reviews for Mozilla CA program inclusion -- and would open up the process to people who have less interior working knowledge of a CA. This would also allow people who are otherwise untrained, but who want to take an interest in their security, to understand what the reviews entail and what Mozilla's priorities are. We have the CA checklist as a template for information gathering: https://wiki.mozilla.org/CA:Information_checklist and also some similar stuff on the "how to apply" page: https://wiki.mozilla.org/CA:How_to_apply Is this the sort of thing you were thinking of? Frank P.S. These are on a wiki, so if you or anyone else wants to modify these pages to make them more useful for newbies, please feel free. -- Frank Hecker hec...@mozillafoundation.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Quorum requirements for approval of CAs?
That's a very good question. The most important part of the answer to it would have to be: don't discount what they say. However, I have a suggested strategy for reviewers: don't limit your review to only those trust bits that are initially requested. This way, if there is an amendment to the bug which requests additional bits to be set, then we don't have to waste our time doing an entire new review of the CP/CPS/public information to figure out if those new trust bits are also appropriate. For each type of trust bit requested, what are the minimum requirements for inclusion? TLS server: must perform at a minimum domain control verification email: must perform at a minimum email account control/access verification software: must perform legal identity verification? EV: Must perform corporate legal identity verification, must have policy OID for embedding, must have a different audit, cannot use MD5... (come to think of it, I think I'll read the EV document again and figure out all the "must" clauses.) I'm asking this because I think a template which includes a statement of requirements would be an exceedingly good thing for people undertaking reviews for Mozilla CA program inclusion -- and would open up the process to people who have less interior working knowledge of a CA. This would also allow people who are otherwise untrained, but who want to take an interest in their security, to understand what the reviews entail and what Mozilla's priorities are. (for example: Please identify the section of the public documentation which addresses each point below: SERVER: Performs domain control verification How does the CA perform this? (if not performed, answer "N/A"; if not described, answer "Unspecified") SERVER: Performs domain control change revocation How does the CA perform this? EMAIL: Performs email account control/access verification How does is it performed? ...and so on.) -Kyle H On Tue, Feb 10, 2009 at 3:38 PM, Ian G wrote: > On 10/2/09 23:02, Eddy Nigg wrote: >> >> On 02/10/2009 09:42 PM, Frank Hecker: >>> >>> And in any case, I don't see people being as much concerned about having >>> more Mozilla-employed people involved, but as getting more community >>> feedback. And I don't have any good answers there because it depends on >>> having more people willing to volunteer their time. >> >> I too think that one person dedicated to CA matters should be >> sufficient. Perhaps there are some from other CAs and/or otherwise >> knowledgeable in this field willing to spend ONE hour per week as a >> contribution to Mozilla? Yes, I'm looking at you! > > > I thought about that too, but discarded it. Certainly some CA input is > useful, but the danger is that it becomes overbearing and selfserving, and > could lead to some form of tit-for-tat war between the CAs (assuming that > there are multiple rounds of reviews, which we would probably all agree is a > good thing). > > The real problem is, how do we get independent people to stick around and > comment? > > > > iang > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Quorum requirements for approval of CAs?
On 02/11/2009 01:38 AM, Ian G: I thought about that too, but discarded it. Certainly some CA input is useful, but the danger is that it becomes overbearing and selfserving, and could lead to some form of tit-for-tat war between the CAs (assuming that there are multiple rounds of reviews, which we would probably all agree is a good thing). It's perhaps an opportunity for me to explain why I'm here and why I think others - specially representatives and employees of CAs - should too. Of course I also represent StartCom at times when it's relevant - my signature clearly shows my affiliation. As such, StartCom is also a member at various other open source and open standards projects, therefore my participation here isn't unique per se. Personally I believe that CAs have an interest that policies for inclusions at the browsers are upheld. Also I believe that people working at CAs have the best knowledge in reviewing and advising on these matters. For example, I viewed the contributions made by Rob & Robin of Comodo and other CAs as entirely positive. The experience and knowledge Kathleen brought with her as an ex-employee of a CA just confirms that knowing about the inner procedures, actual practices and some real-world experience at a CA is almost necessity. Myself didn't had to make too many reviews either in order to realize that my contribution is rather important to the overall inclusion process - I'm just sorry that I didn't started with it earlier. Tit-for-tat wars aren't really relevant when there are no deficiencies. If there are deficiencies, they must be dealt with accordingly and it doesn't matter if it's a CA (or employee of a CA) participating here or not. The same policy and same rules apply for all CAs equally. :-) Important is, and because of the sensitivity, that the judgment and final decisions are made by the responsible person Mozilla assigned for this task. This has been Frank and at times Gerv so far. A similar situation applies to code and other contributions too. There are various commercial organizations contributing code, patches and services to Mozilla, some of which obviously serves their own interests too - sometimes it's even exclusive. Those contributors are most capable in leading development and contributing towards the various projects and components. There are module owners, reviewers and drivers - sometimes those positions are even held by contributors which work at commercial organizations not affiliated with Mozilla. Because of that, I think that the participation of CAs and their employees as community members is no precedence and highly useful in my opinion. -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Quorum requirements for approval of CAs?
On 10/2/09 23:02, Eddy Nigg wrote: On 02/10/2009 09:42 PM, Frank Hecker: And in any case, I don't see people being as much concerned about having more Mozilla-employed people involved, but as getting more community feedback. And I don't have any good answers there because it depends on having more people willing to volunteer their time. I too think that one person dedicated to CA matters should be sufficient. Perhaps there are some from other CAs and/or otherwise knowledgeable in this field willing to spend ONE hour per week as a contribution to Mozilla? Yes, I'm looking at you! I thought about that too, but discarded it. Certainly some CA input is useful, but the danger is that it becomes overbearing and selfserving, and could lead to some form of tit-for-tat war between the CAs (assuming that there are multiple rounds of reviews, which we would probably all agree is a good thing). The real problem is, how do we get independent people to stick around and comment? iang -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Quorum requirements for approval of CAs?
On 02/10/2009 09:42 PM, Frank Hecker: And in any case, I don't see people being as much concerned about having more Mozilla-employed people involved, but as getting more community feedback. And I don't have any good answers there because it depends on having more people willing to volunteer their time. I too think that one person dedicated to CA matters should be sufficient. Perhaps there are some from other CAs and/or otherwise knowledgeable in this field willing to spend ONE hour per week as a contribution to Mozilla? Yes, I'm looking at you! -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Quorum requirements for approval of CAs?
On 02/10/2009 09:32 PM, Frank Hecker: Eddy Nigg wrote: I would support a review requirement by the community of at least two individuals which independently review the CA. Do you mean two people besides Kathleen? Yes, that's my idea... That may be difficult to achieve; I think there were a number of requests where you were the only community person who commented. ...which isn't really the perfect state either. Personally I feel that I'm dominating the list at times, specially during reviews and comments periods. I'd very much prefer to have my findings independently confirmed by at least another person. > I guess we could compare this to the problem of patches sitting in > the queue for lack of review and superreview. Yes, that's a good and reasonable comparison. > Personally I would like > to see at least some additional review of CA requests, whether that > be by Eddy or you or whoever. But I'm also not really happy about > stretching out discussion of CA requests for multiple weeks just > because no one besides Kathleen has time to look at things, > especially given the backlog of requests we have. Well, currently it's not likely that this would happen - and if it would, you'd know about it. But of course that would be the theoretical price to pay for such a requirement. -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Quorum requirements for approval of CAs?
Ian G wrote: I think -- personal & likely biased opinion only -- you might get more value by looking inside the foundation and asking them to expand the resources available on the CA desk. Right now between Kathleen, myself, and Johnathan Nightingale (e.g., his CAB Forum activities) we have probably close to one full-time-equivalent person working on CA stuff in general for MoFo/MoCo/etc. I think we could increase that somewhat, and I hope we will, but I don't see an immediate prospect to have, for example, 2 or more FTEs working on CA stuff. So I think that on the Mozilla side we're going to be resource constrained on this for some time to come. And in any case, I don't see people being as much concerned about having more Mozilla-employed people involved, but as getting more community feedback. And I don't have any good answers there because it depends on having more people willing to volunteer their time. Frank P.S. For what it's worth, this problem is not unique to this area. They're having a discussion right now over in mozilla.governance about there not being a large number of module owners and peers who are independent of Mozilla (i.e., not employees or contractors of MoCo, MoFo, etc.). -- Frank Hecker hec...@mozillafoundation.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Quorum requirements for approval of CAs?
Eddy Nigg wrote: I would support a review requirement by the community of at least two individuals which independently review the CA. Do you mean two people besides Kathleen? That may be difficult to achieve; I think there were a number of requests where you were the only community person who commented. Frank -- Frank Hecker hec...@mozillafoundation.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Quorum requirements for approval of CAs?
Nelson B Bolyard wrote: While I do not wish in any way to question or reduce the value of Kathleen's evaluation, I wonder if it is right for us to allow CA applications to be approved in the absence of any real public discussion. As Ben pointed out, there was opportunity for public discussion, but no one took advantage of that opportunity, presumably due to not having time. In the complete absence of any discussion, positive or negative, does it seem right to allow CAs to go into the list by default? Should we have a quorum requirement, of some sort, requiring pasticipation by at least N members before allowing approval? I guess we could compare this to the problem of patches sitting in the queue for lack of review and superreview. Personally I would like to see at least some additional review of CA requests, whether that be by Eddy or you or whoever. But I'm also not really happy about stretching out discussion of CA requests for multiple weeks just because no one besides Kathleen has time to look at things, especially given the backlog of requests we have. I have more comments on this, but they're probably better made in response to other post. Frank -- Frank Hecker hec...@mozillafoundation.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Quorum requirements for approval of CAs?
On 10/2/09 14:16, Eddy Nigg wrote: On 02/10/2009 02:15 PM, Ian G: I think -- personal & likely biased opinion only -- you might get more value by looking inside the foundation and asking them to expand the resources available on the CA desk. Their job is to be independent, and so far, that's worked out, more or less. 1.) They still may make mistakes. So, no different to any other part of the business process. 2.) They are not independent. Again, no different. Nobody is absolutely independent. The question is, who would be more independent, in a relative scale? If you look at it objectively, they have a better chance of being independent, and of covering the territory more completely. (FTR, I've already written off-list emails to them on this subject. I know some changes have been made, and it takes time.) Why off-list? That's off-topic. iang -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Quorum requirements for approval of CAs?
On 02/10/2009 02:15 PM, Ian G: I also don't like this discussion about waiting for some perfect A-list of tech. We've got the NNTP thing, we've got the ordinary mail, what are we waiting on now? google-phone? twitter? Even though I don't care about google groups either (and google can fetch any comment thereafter as well and also does so), Johnathan explained what we are waiting for... On to your important question. My views would fall on the "against change" side for now. Of course! I wouldn't expect anything else from you...or you wouldn't be Ian Grigg. I think -- personal & likely biased opinion only -- you might get more value by looking inside the foundation and asking them to expand the resources available on the CA desk. Their job is to be independent, and so far, that's worked out, more or less. 1.) They still may make mistakes. 2.) They are not independent. (FTR, I've already written off-list emails to them on this subject. I know some changes have been made, and it takes time.) Why off-list? -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Quorum requirements for approval of CAs?
On 02/10/2009 02:30 PM, Ben Bucksch: Are you fearing that you are on holiday during that time and can't have your voice? We should recommend that people which have reviewed the CAs in question say so after the comments period. Otherwise we don't know that somebody at least took a look. For example the last CA's comments period was too short for me... :-) -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Quorum requirements for approval of CAs?
On 10.02.2009 02:23, Nelson B Bolyard wrote: I'd post this in the policy working group, if that was operational ... :( In our esteemed Kathleen Wilson wrote: According to https://wiki.mozilla.org/CA:How_to_apply “If there are no open issues or action items after the first discussion period, and there is general agreement that you comply with our policy requirements, then at the Foundation's discretion the second phase of public discussion may be skipped, the request will be immediately approved, and the request will move into the inclusion phase…” I wonder if it is right for us to allow CA applications to be approved in the absence of any real public discussion. In the complete absence of any discussion, positive or negative, does it seem right to allow CAs to go into the list by default? How do you arrive at "complete absense of any discussion" from the "If there are no open issues or action items after the first discussion period" and the "general agreement"? There *was* a discussion period, and in fact there had to be responses, otherwise there couldn't be "general agreement". It's just that nobody had any problems with it, after the discussion (or right away). Why wouldn't you include the CA, then? Are you fearing that you are on holiday during that time and can't have your voice? -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Quorum requirements for approval of CAs?
On 10/2/09 02:23, Nelson B Bolyard wrote: I'd post this in the policy working group, if that was operational ... :( I also don't like this discussion about waiting for some perfect A-list of tech. We've got the NNTP thing, we've got the ordinary mail, what are we waiting on now? google-phone? twitter? On to your important question. My views would fall on the "against change" side for now. While I do not wish in any way to question or reduce the value of Kathleen's evaluation, I wonder if it is right for us to allow CA applications to be approved in the absence of any real public discussion. According to the policy, yes it is right. Point 1, 2. In the complete absence of any discussion, positive or negative, does it seem right to allow CAs to go into the list by default? Should we have a quorum requirement, of some sort, requiring pasticipation by at least N members before allowing approval? That old Churchill comment: Democracy is a terrible system, but it beats the next best system hands down ... or was it, Democracy is 3 wolves and a sheep, voting on who to have for dinner :) More seriously ... democracy works when there is a fight for limited resources. Firstly, there is no limited resource here; the root list can be as long as a list. Secondly, we have to worry about the quality of the fight. On the one side, if there is to be a fight, we can be sure that the CA will muster the friends it needs to carry on the fight. So numbers won't be an issue for them. Nor "independence" nor "seriousness". And if they don't, then it is because they are stupid or honest, and we aren't in the game of punishing people for being stupid or honest. On the other side, we have a group of people who might comment, "independently" and another group of people who might have a bone to pick, a fight for the sake of the fight, or a hobby horse. You might recall that (some?) political parties now routinely pay people to fill up blog postings with positive/negative remarks. What we lack is any incentive for people to take on the independent role in what passes as a sustainable economic effort. It bothers me that a CA might get into the list simply because no one (besides Kathleen) had (or took) the time to seriously evaluation the application. I think -- personal & likely biased opinion only -- you might get more value by looking inside the foundation and asking them to expand the resources available on the CA desk. Their job is to be independent, and so far, that's worked out, more or less. (FTR, I've already written off-list emails to them on this subject. I know some changes have been made, and it takes time.) This seems especially problematic given that it appears to be nigh unto impossible to remove a CA from the list. Yup, no matter how much work you put into the first application, we need a "corrective" after-the-fact measure. All non-brittle systems need some measure of fixing. iang -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Quorum requirements for approval of CAs?
On 02/10/2009 03:23 AM, Nelson B Bolyard: While I do not wish in any way to question or reduce the value of Kathleen's evaluation, I wonder if it is right for us to allow CA applications to be approved in the absence of any real public discussion. In the complete absence of any discussion, positive or negative, does it seem right to allow CAs to go into the list by default? Should we have a quorum requirement, of some sort, requiring pasticipation by at least N members before allowing approval? It bothers me that a CA might get into the list simply because no one (besides Kathleen) had (or took) the time to seriously evaluation the application. This seems especially problematic given that it appears to be nigh unto impossible to remove a CA from the list. This is an interesting question. The last two years have proven that additional reviews had quite some consequences. Personally I'm doing my best to review every request, however there can't be any guaranty that I or anybody else can do so always. I think however that your suggestion has some valid ground. I would support a review requirement by the community of at least two individuals which independently review the CA. -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Quorum requirements for approval of CAs?
Thank you for bringing this up, Nelson. I would hope that your observation (as a much larger figure in the Mozilla organization than I or Eddy or much of anyone else) and worry will carry more weight than the people outside the inner circle. -Kyle H On Mon, Feb 9, 2009 at 5:23 PM, Nelson B Bolyard wrote: > I'd post this in the policy working group, if that was operational ... :( > > In > our esteemed Kathleen Wilson wrote: > >> According to https://wiki.mozilla.org/CA:How_to_apply >> "If there are no open issues or action items after the first >> discussion period, and there is general agreement that you comply with >> our policy requirements, then at the Foundation's discretion the >> second phase of public discussion may be skipped, the request will be >> immediately approved, and the request will move into the inclusion >> phase…" > > While I do not wish in any way to question or reduce the value of > Kathleen's evaluation, I wonder if it is right for us to allow CA > applications to be approved in the absence of any real public discussion. > > In the complete absence of any discussion, positive or negative, does it > seem right to allow CAs to go into the list by default? Should we have a > quorum requirement, of some sort, requiring pasticipation by at least N > members before allowing approval? > > It bothers me that a CA might get into the list simply because no one > (besides Kathleen) had (or took) the time to seriously evaluation the > application. This seems especially problematic given that it appears > to be nigh unto impossible to remove a CA from the list. > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Quorum requirements for approval of CAs?
I'd post this in the policy working group, if that was operational ... :( In our esteemed Kathleen Wilson wrote: > According to https://wiki.mozilla.org/CA:How_to_apply > “If there are no open issues or action items after the first > discussion period, and there is general agreement that you comply with > our policy requirements, then at the Foundation's discretion the > second phase of public discussion may be skipped, the request will be > immediately approved, and the request will move into the inclusion > phase…” While I do not wish in any way to question or reduce the value of Kathleen's evaluation, I wonder if it is right for us to allow CA applications to be approved in the absence of any real public discussion. In the complete absence of any discussion, positive or negative, does it seem right to allow CAs to go into the list by default? Should we have a quorum requirement, of some sort, requiring pasticipation by at least N members before allowing approval? It bothers me that a CA might get into the list simply because no one (besides Kathleen) had (or took) the time to seriously evaluation the application. This seems especially problematic given that it appears to be nigh unto impossible to remove a CA from the list. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
