On Tue, January 19, 2016 5:38 pm, Eric Mill wrote: > If your experience with MD5 supports the notion that removing support for > it in the enterprise hurt user security in some other way, such as causing > enterprises to lock their users to older versions of Chrome for a long > period of time, please give more qualitative or quantitative detail to > support that. Otherwise, I have to assume a more traditional and typical > competitive dynamic that doesn't generally work in the public's interest.
While I sent a more comprehensive reply off-list explaining why I have trouble with your arguments, I don't believe I can in good-faith continue this conversation with you, Eric. I appreciate your curiosity and enthusiasm, but I don't believe your questions are at all relevant to this discussion, nor do I appreciate the implication that my participation is an attempt to gain competitive advantage - simply because I don't want to see users switch to Firefox or another browser. I don't believe it's necessary to satiate your curiosity, nor is it a reasonable request, especially when ample information about the impact that the MD5 deprecation had (as shown on the bug you previously linked), ample academic literature exists to warning fatigue, and by your own admission, you're familiar with the purchasing, upgrade, and deployment cycles of enterprises and the challenges therein. I've suggested several paths that Richard and the Firefox team may consider, as compromises that allow Firefox to ensure secure communications for users, while allowing enterprises the necessary relief valves for their (longer) timelines and unique challenges. I can appreciate that you don't see the utility in the relief valve, but there's ample evidence (and your own experience should tell you) that such things would and are necessary. They are paths being pursued by the Chrome team, and, based on the evidence and historical precedence, believed to be the Microsoft strategy as well. In any event, I don't believe either of us are contributing positively to the conversation at this point, so I'll bow out, and would encourage considering the same. Best, _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
