On 10/2/2015 11:36 AM, Brian Smith wrote:
---------- Forwarded message ----------
From: Brian Smith <[email protected]>
Date: Thu, Oct 1, 2015 at 7:15 AM
Subject: Re: Policy Update Proposal: Remove Code Signing Trust Bit
To: Gervase Markham <[email protected]>
Cc: "[email protected]" <[email protected]>
On Wed, Sep 30, 2015 at 11:05 PM, Gervase Markham <[email protected]> wrote:
On 01/10/15 02:43, Brian Smith wrote:
Perhaps nobody's is, and the whole idea of using publicly-trusted CAs for
code signing and email certs is flawed and so nobody should do this.
I think we should divide code-signing and email here. I can see how one
might make an argument that using Mozilla's list for code-signing is not
a good idea; a vendor trusting code-signing certs on their platform
should choose which CAs they trust themselves.
But if there is no widely-trusted set of email roots, what will that do
for S/MIME interoperability?
First of all, there is a widely-trusted set of email roots: Microsoft's.
Secondly, there's no indication that having a widely-trusted set of email
roots *even makes sense*. Nobody has shown any credible evidence that it
even makes sense to use publicly-trusted CAs for S/MIME. History has shown
that almost nobody wants to use publicly-trusted CAs for S/MIME, or even
S/MIME at all.
There is demonstrably more use of S/MIME than PGP. So, by extension of
your argument, almost nobody wants to use secure email, and there is
therefore no point in supporting them. Such a position would naturally
be a gross violation of the Mozilla Manifesto, particularly the fourth
principle.
Further, there's been actual evidence presented that Mozilla's S/MIME
software is not trustworthy due to lack of maintenance.
There have been contributor patches to S/MIME code within Mozilla. If
there are issues in the verification or processing of S/MIME within NSS
itself, then this can only be the result of a gross dereliction of duty
of Mozilla's security team to stop supporting it (as S/MIME has
traditionally been under the purview of security, not the email team)
without bothering to even notify any potential consumers, let alone
attempting to help transition them into taking any more of a maintenance
role.
I do realize that I'm using strong language, but this does feel to me to
be part of a campaign to intentionally sabotage Thunderbird development
simply because it's not Firefox and it would detract development from
Firefox, despite the fact that Thunderbird is the second-most-used
project of Firefox (and still growing in market share!) and remains an
official Mozilla project.
--
Joshua Cranmer
Thunderbird and DXR developer
Source code archæologist
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
