Re: new anti-fraud mailing list for discussing improving browser security UI
Amir Herzberg wrote: I wonder: was the mere fact of you meeting with them a secret? If so, did you get permission to disclose this secret (was it declassified)? The existence of the meeting was not a secret. http://weblogs.mozillazine.org/gerv/archives/008126.html It must have been `top secret` since you were forced to take evasive actions, i.e. tell us you need usability tests, criteria, code, etc. when you simply could have said that you decided to follow a specific direction and are not currently interested in outside contributions. This would have been the right thing to do, imho. Why do you persist in seeing this as an either/or, black-and-white thing? Just because we are improving the certificate UI doesn't mean that all your work is suddenly invalid or unwanted. I'm very interested in what you are doing. I'm not yet convinced any of the suggested outside contributions are a good fit for Firefox. That doesn't mean that won't change in the future. Gerv ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: new anti-fraud mailing list for discussing improving browser security UI
Doug Ludy wrote: I am a newcomer who knows a little bit about group process. It has been fascinating to watch this newsgroup at work--brilliant minds and powerful egos working toward similar goals. I am reminded of a debate in the English parliament. Rather than viewing the current impasse in terms of betrayal and trickery I think a more charitable approach might be the model of culture clash. How does a group accustomed to open process communicate and negotiate with another group whose approach is proprietary and secretive? What rules apply? Which compromises are life-enhancing rather that life-threatening? This is a very old dilemma. I sincerely hope this discussion continues, for trust is important to me. Interesting comment. But: the discussion was between two groups which are both claiming to follow and believe in open process; I believe Gerv in his note clearly indicates his personal preference for more open process. Anyway, considering Mozilla are currently pursueing a different, `closed` approach, the technical discussion moved to the new list Duane made (see original post). Best, Amir Herzberg ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: new anti-fraud mailing list for discussing improving browser security UI
Gervase Markham wrote: Amir Herzberg wrote: It is not an issue of fairness, it is an issue of open process. I am indeed disappointed to find that Mozilla is not acting openly. As a believer in open process, I am concerned that the result may be suboptimal. I would like the process to be more open. I hope and expect that in the future, it will be. However, to achieve the goal, it can't be open right now. Fine. Considering Mozilla are currently pursueing a different, `closed` approach, the technical discussion moved to the new list Duane made (see original post); please join if and when interested. This is not the way to encourage innovation. In fact, this situation, which was not even disclosed openly during this lengthy discussion, As I said, some of those involved are reticent about their involvement. I don't see why this prevented you from stating all this up front, instead of wasting people's time on trying to convince you to follow an open process you (temporarily?) abandoned. And I hope the occupants of this newsgroup won't go shooting their mouths off in blogs and on Slashdot. I'm rather surprised at this comment. After all, you (claim to) believe in open process, and surely criticism of your actions is a part of that. If somebody feels this is somewhat contrary to the stated goals and principles of Mozilla and the open community in general, what's wrong about voicing this in any forum? puts Heikki's advice on `develop code` in rather strange light. Not at all. Just because we're not in a position to accept your code now doesn't mean it's not valuable. It certainly does not mean the code is not valueable. OTOH, it is important input, which I think in fairness should have been disclosed. For example, I may have decided to put more effort into non-Mozilla development; we currently do only FireFox and IE, I may have focused more on the IE version, or even begun an effort on another browser. I am definitely considering such options now; regardless of my decision and actions, the fact that this new information resulted in re-evaluation indicates this information should have been disclosed. I am not angry, I'm sure you and Heikke simply did not consider the implication of your following a closed process and the need to dislose that decision. Frankly, a simple apology would have made me feel better about it, but I don't insist, after all sometimes `sorry seems to be the hardest word` :-) I'm not planning to stop coding (yet), but I think you should have indicated that at least the Mozilla group thinks that working in a closed committee will be more effective Please don't make it so black and white - it's not. I personally don't think a closed group is any more effective, but I'm not the only person with a view on the question. Ok, and even if you did, that's an understandable position, even if I think it is wrong. Best, Amir Herzberg ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: new anti-fraud mailing list for discussing improving browser security UI
Duane wrote: But how can you trust a process going on behind closed door and excluding everyone else? We're not developing security protocols, we're developing best practices and UI. And I am very strongly of the opinion that there needs to be a public review process, and have made that point and will make it again. Further more another example of what I'm talking about was with Comodo trying to lock trust bar into their patents, for US businesses this seems to be business as usual, the only thing surprising me is the Mozilla guys falling hook line and sinker for it... No wonder Gerv didn't want blogs and/or slashdot postings about it, it would blow the lid of the entire thing at how Mozilla is selling out it's user base to the same vested commercial interests it's supposed to be an alternative for! Well, it's certainly this sort of unfounded paranoia that probably would blow the lid off the embryonic ground-breaking collaboration we've managed to achieve. Do you think all the browser makers collaborate regularly? So go ahead, shoot your mouth off, create a security scandal - some large company will rush out a patch containing the best UI that comes to mind, and we'll all have to copy it if we want consistency. At the moment, phishers aren't using SSL. This gives us breathing space to reinforce it so that when they do, we'll be ready. That's what I hope to take advantage with this work. Gerv ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
new anti-fraud mailing list for discussing improving browser security UI
Gervase Markham wrote: Ian Grigg wrote: This is clearly not the case - in partnership with the other browser vendors, we are together working out the most appropriate UI and then all implementing it. That's fine, but of course not currently an open process. Duane kindly setup an open forum, the [EMAIL PROTECTED] mailing list. This is for anybody interested in further discussing these issues; thanks! I am sure that some of the people in the `closed` group will also join/follow the open forum, and certainly hope that Gerv will. In particular, this list is an appropriate forum for feedback on our proposal (TrustBar) and other proposals, for developing agreed-upon criteria, etc For info or to join: http://lists.cacert.org/cgi-bin/mailman/listinfo/anti-fraud You (mozilla, you, everyone within) are not playing fair. It is not an issue of fairness, it is an issue of open process. I am indeed disappointed to find that Mozilla is not acting openly. As a believer in open process, I am concerned that the result may be suboptimal. This is not the way to encourage innovation. Best, Amir Herzberg See the new TrustBar homepage at http://AmirHerzberg.com/TrustBar ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: new anti-fraud mailing list for discussing improving browser security UI
Gervase Markham wrote: Amir Herzberg wrote: It is not an issue of fairness, it is an issue of open process. I am indeed disappointed to find that Mozilla is not acting openly. As a believer in open process, I am concerned that the result may be suboptimal. I would like the process to be more open. I hope and expect that in the future, it will be. However, to achieve the goal, it can't be open right now. This is not the way to encourage innovation. In fact, this situation, which was not even disclosed openly during this lengthy discussion, As I said, some of those involved are reticent about their involvement. And I hope the occupants of this newsgroup won't go shooting their mouths off in blogs and on Slashdot. puts Heikki's advice on `develop code` in rather strange light. Not at all. Just because we're not in a position to accept your code now doesn't mean it's not valuable. I'm not planning to stop coding (yet), but I think you should have indicated that at least the Mozilla group thinks that working in a closed committee will be more effective Please don't make it so black and white - it's not. I personally don't think a closed group is any more effective, but I'm not the only person with a view on the question. Gerv I am a newcomer who knows a little bit about group process. It has been fascinating to watch this newsgroup at work--brilliant minds and powerful egos working toward similar goals. I am reminded of a debate in the English parliament. Rather than viewing the current impasse in terms of betrayal and trickery I think a more charitable approach might be the model of culture clash. How does a group accustomed to open process communicate and negotiate with another group whose approach is proprietary and secretive? What rules apply? Which compromises are life-enhancing rather that life-threatening? This is a very old dilemma. I sincerely hope this discussion continues, for trust is important to me. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security