On 16/10/2016 20:55, Ryan Sleevi wrote:
On Saturday, October 15, 2016 at 3:18:22 PM UTC-7, Eric Mill wrote:
On Sat, Oct 15, 2016 at 4:31 AM, Peter Gutmann <pgut...@cs.auckland.ac.nz>

 The only one who's openly addressed this
seems to be Mozilla.

It would certainly be nice if Mozilla weren't the only openly operated root
program. :)

It seems to put Mozilla in the situation of being the effective first-mover
whether they want to be or not, since they're the only entity hosting
public discussions about what to do. It certainly felt that way with
WorldPay, and Ryan's comments to Kathleen in the other thread about whether
Mozilla could be more aggressive with WoSign if they knew they were not
going to be saddled with first/only-mover disadvantage seems to point to
this dynamic as well.

To be clear: I don't think the fact that this is happening on 
mozilla.dev.security.policy is enough to suggest that there aren't 
open/transparent programs, or that it's limited to Mozilla's response.

Imagine a hypothetical world where there were multiple, independently approved 
root programs - that is, that the software vendor retains final choice in 
deciding to include/not include a given certificate. Let's say that these 
programs also adopted the principles that Mozilla has - of having a community 
driven focus, based on feedback and investigation, and an open period for 
review and discussion.

Would this hypothetical world benefit, or be harmed, if these conversations 
happened on independent lists? My belief is that it would be harmed - that is, 
that having separate root programs operate separate lists would invite all the 
same problems that the Common CA Cert Database (aka Salesforce) is trying to 
solve, by duplicating effort and activity, without providing new or unique 

Instead, we might conclude that these independently operated programs might 
benefit from having a common, shared community review and discussion, but then 
independently declare their final results - whether to include, remove, or 
otherwise sanction or censure. This would allow involved members of the 
community a central place to discuss, publicly, and share information and 
perspectives, while also avoiding the issues alluded too earlier in the thread 
with respect to the antitrust statements of the CA/B Forum.

Whether such a shared list has a name like mozilla.dev.security.policy or some 
new email list largely seems irrelevant, and that the status quo, by having a 
large and involved membership, might be more preferable than creating yet 
another list.

Just a thought ;)

Unfortunately this line of thinking is hugely contradicted by some key
people on this mailing list repeatedly insisting on ignoring any
consequences outside the limited scope of the next release of Firefox.

Over the past few years, this has caused the Mozilla root list to
become less and less useful for the rest of the open source world, a
fact which at least some of the Mozilla-root-list-copying open source
projects seem not to be aware of yet.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
dev-security-policy mailing list

Reply via email to