Hi Gary, I'm sort of confused by your question. We need a way to decide which certificates are valid. How would we do that if not by having a list of trusted root CAs? And if you need such a list, you need a policy for how to construct that list, even if it's just "defer to the platform" (which some other browsers do).
--Richard On Jul 9, 2014, at 11:39 AM, Gary Mort <[email protected]> wrote: > Looking over the Mozilla at > http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ > I can't really find a good clear reason why Mozilla would maintain and > distribute this list to begin with. > > There are many implied reasons in the policies themselves, but those implied > reasons are often contradicted by individuals from Mozilla when discussing > the merits of including or removing various certificates. > > Rather then continue to guess, I decided a more efficient method would be to > ask - especially as I feel that the initial assumptions on usage for a root > CA list have in fact been proven wrong over time - which means that current > policy is based on unwritten assumptions and implications which leads to > convoluted decisions which appear to lack internal logical consistency. > > Please do not think this is criticism of the huge amount of work that has > gone into creating and maintaining this list. I feel that it has served a > vital goal for quite a long time - I'm just not sure if the way it is > maintained today serves any practical goal in regards specifically to > browsing the web. > > I would prefer public replies to this e-mail/posting rather then links to > some statement elsewhere. Primarily to deal with the whole matter of > inference and implication. IE if you provide a link to some RFC that may > answer the question - it does not mean that you are actually saying you agree > with everything in that RFC and any implications in such a document may be > interpreted differently by different parties. So I am primarily interested > in what the perceived goals are being met by these policies and a root CA > file by those actually involved in implementing and crafting it. > > Feel free to provide links to more detailed information in addition, I simply > request that you summarize what you are taking away from those documents. > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
