On Tuesday, August 16, 2016 at 6:14:12 PM UTC-7, Nick Lamb wrote: > 6) Engage with other trust store maintainers which trust this CA to determine > a common choice of action. I believe Apple and Microsoft both trust this CA. > They too should have concerns about its behaviour and have thoughts about how > users should be protected. Or maybe they don't.
That options pretty much a non-starter for reasons best not speculated about, but I'm curious: Why or how would that improve the security of Mozilla users? And if it doesn't meaningfully improve their security, how would it at least further the Mozilla principle of individuals' security and privacy? There's three possible outcomes from such (well, more, but again, not going to speculate on things I'm not legally qualified to speculate about): - Other stores push for a more lenient solution than Mozilla thinks appropriate for their users - Other stores push for the same solution as Mozilla thinks appropriate for their users - Other stores push for a more strict response than Mozilla thinks appropriate for their users The first option is a non-starter if it leaves Mozilla users more at risk. The second option doesn't provide net-value. The third option seems sub-optimal, as it suggests Mozilla's decisions are arbitrary based on coordinated action with other stores, rather than upholding Mozilla's principles and protecting its users. What about the other way - Convincing other stores to a particular path? They're in the same position, and likely have the same concerns - too weak, the same, or too strong. You could argue that you believe other trust store maintainers have additional information that they're not willing to share publicly, and while that may be true, it doesn't further Mozilla's goal of consistency and transparency to allow such information to alter the decision making unless it can be shared, and if it could be shared, it could be shared here. You could argue that you believe coordinated action eliminates the first mover penalty, but we know from ample work in the TLS space that you can't escape the first mover penalty to some degree, because products are on different release cycles. You could argue it'd be a PR issue if Mozilla took one stance and another browser took another, but isn't that still core to the point - Mozilla should do what's right for Mozilla users, and as according to Mozilla's principles? So aren't we now back to the same set of question/options posed - which is what does the Mozilla community, and in particular, Mozilla itself, feel is appropriate to protect users of Mozilla products? And that's basically 1-5, AFAIK. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
