On Saturday, October 15, 2016 at 3:18:22 PM UTC-7, Eric Mill wrote:
> On Sat, Oct 15, 2016 at 4:31 AM, Peter Gutmann <pgut...@cs.auckland.ac.nz>
> > The only one who's openly addressed this
> > seems to be Mozilla.
> It would certainly be nice if Mozilla weren't the only openly operated root
> program. :)
> It seems to put Mozilla in the situation of being the effective first-mover
> whether they want to be or not, since they're the only entity hosting
> public discussions about what to do. It certainly felt that way with
> WorldPay, and Ryan's comments to Kathleen in the other thread about whether
> Mozilla could be more aggressive with WoSign if they knew they were not
> going to be saddled with first/only-mover disadvantage seems to point to
> this dynamic as well.
To be clear: I don't think the fact that this is happening on
mozilla.dev.security.policy is enough to suggest that there aren't
open/transparent programs, or that it's limited to Mozilla's response.
Imagine a hypothetical world where there were multiple, independently approved
root programs - that is, that the software vendor retains final choice in
deciding to include/not include a given certificate. Let's say that these
programs also adopted the principles that Mozilla has - of having a community
driven focus, based on feedback and investigation, and an open period for
review and discussion.
Would this hypothetical world benefit, or be harmed, if these conversations
happened on independent lists? My belief is that it would be harmed - that is,
that having separate root programs operate separate lists would invite all the
same problems that the Common CA Cert Database (aka Salesforce) is trying to
solve, by duplicating effort and activity, without providing new or unique
Instead, we might conclude that these independently operated programs might
benefit from having a common, shared community review and discussion, but then
independently declare their final results - whether to include, remove, or
otherwise sanction or censure. This would allow involved members of the
community a central place to discuss, publicly, and share information and
perspectives, while also avoiding the issues alluded too earlier in the thread
with respect to the antitrust statements of the CA/B Forum.
Whether such a shared list has a name like mozilla.dev.security.policy or some
new email list largely seems irrelevant, and that the status quo, by having a
large and involved membership, might be more preferable than creating yet
Just a thought ;)
dev-security-policy mailing list