On Saturday, October 15, 2016 at 3:18:22 PM UTC-7, Eric Mill wrote:
> On Sat, Oct 15, 2016 at 4:31 AM, Peter Gutmann <pgut...@cs.auckland.ac.nz>
> wrote:
> >  The only one who's openly addressed this
> > seems to be Mozilla.
> >
> It would certainly be nice if Mozilla weren't the only openly operated root
> program. :)
> It seems to put Mozilla in the situation of being the effective first-mover
> whether they want to be or not, since they're the only entity hosting
> public discussions about what to do. It certainly felt that way with
> WorldPay, and Ryan's comments to Kathleen in the other thread about whether
> Mozilla could be more aggressive with WoSign if they knew they were not
> going to be saddled with first/only-mover disadvantage seems to point to
> this dynamic as well.

To be clear: I don't think the fact that this is happening on 
mozilla.dev.security.policy is enough to suggest that there aren't 
open/transparent programs, or that it's limited to Mozilla's response.

Imagine a hypothetical world where there were multiple, independently approved 
root programs - that is, that the software vendor retains final choice in 
deciding to include/not include a given certificate. Let's say that these 
programs also adopted the principles that Mozilla has - of having a community 
driven focus, based on feedback and investigation, and an open period for 
review and discussion.

Would this hypothetical world benefit, or be harmed, if these conversations 
happened on independent lists? My belief is that it would be harmed - that is, 
that having separate root programs operate separate lists would invite all the 
same problems that the Common CA Cert Database (aka Salesforce) is trying to 
solve, by duplicating effort and activity, without providing new or unique 

Instead, we might conclude that these independently operated programs might 
benefit from having a common, shared community review and discussion, but then 
independently declare their final results - whether to include, remove, or 
otherwise sanction or censure. This would allow involved members of the 
community a central place to discuss, publicly, and share information and 
perspectives, while also avoiding the issues alluded too earlier in the thread 
with respect to the antitrust statements of the CA/B Forum.

Whether such a shared list has a name like mozilla.dev.security.policy or some 
new email list largely seems irrelevant, and that the status quo, by having a 
large and involved membership, might be more preferable than creating yet 
another list.

Just a thought ;)
dev-security-policy mailing list

Reply via email to