On 9/22/15 11:37 AM, R Kent James wrote:
On 9/21/2015 7:07 PM, Kathleen Wilson wrote:
As we did with the discussion about the code signing trust bit, let's
list the arguments for and against removing references to the Email
trust bit from Mozilla's CA Certificate Policy.
The main comment that I can give is that this is spectacularly bad
timing for us to do this discussion. If we must have this discussion
now, OK we'll do it, but I would ask instead if this can't be delayed
for six months.
Actually, the future of Thunderbird is not the primary factor in this
discussion. There are many other users of the NSS root store. My job has
always been to manage the NSS root store, so I must take the non-Mozilla
users of the NSS root store into account as well. In the case of Code
Signing, I could not find any other users of the NSS root store
depending on the Code Signing trust bit. On the contrary, I believe
there are many users of the NSS root store depending on the Email trust
bit (maybe for identity rather than S/MIME, but still using this trust
bit). I hope some of them will speak up in this discussion.
The Thunderbird team is trying very hard to get Mozilla to clarify the
position of Thunderbird within Mozilla, and at the same time organizing
funding external to MoCo that will allow us to have a team of developers
that can address some of the complaints that Brian Smith makes about the
current state of Thunderbird development. Part of the motivation for
external funding is that Thunderbird, as the leading open-source desktop
email client, plays a critical role in the worldwide infrastructure
supporting end-to-end communications encryption. One way or the other,
these issue will be resolved within 6 months, and a new policy toward
Thunderbird publicly adopted by Mozilla.
I am happy to hear that. I am a big fan of Thunderbird -- I use it for
email, news, and calendar.
Given all of that, it would be better to delay this discussion. If that
is not possible, the most simple response I can give is that Thunderbird
is still Mozilla's #2 product, security is an important part of the
Mozilla manifesto and brand, and S/MIME is an important Thunderbird
security feature that relies on this root certificate infrastructure. If
there are issues with how that is handled, let's fix those issues.
R Kent James
Chair, Thunderbird Council
Thanks for your input into this discussion. I greatly appreciate it!
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
