Ryan, can you tell us something about Google's plans concerning WoSign and


On Son, 2016-10-16 at 11:55 -0700, Ryan Sleevi wrote:
> On Saturday, October 15, 2016 at 3:18:22 PM UTC-7, Eric Mill wrote:
> > 
> > On Sat, Oct 15, 2016 at 4:31 AM, Peter Gutmann <pgut...@cs.auckland.ac.nz>
> > wrote:
> > 
> > > 
> > >  The only one who's openly addressed this
> > > seems to be Mozilla.
> > > 
> > It would certainly be nice if Mozilla weren't the only openly operated root
> > program. :)
> > 
> > It seems to put Mozilla in the situation of being the effective first-mover
> > whether they want to be or not, since they're the only entity hosting
> > public discussions about what to do. It certainly felt that way with
> > WorldPay, and Ryan's comments to Kathleen in the other thread about whether
> > Mozilla could be more aggressive with WoSign if they knew they were not
> > going to be saddled with first/only-mover disadvantage seems to point to
> > this dynamic as well.
> To be clear: I don't think the fact that this is happening on
> mozilla.dev.security.policy is enough to suggest that there aren't
> open/transparent programs, or that it's limited to Mozilla's response.
> Imagine a hypothetical world where there were multiple, independently approved
> root programs - that is, that the software vendor retains final choice in
> deciding to include/not include a given certificate. Let's say that these
> programs also adopted the principles that Mozilla has - of having a community
> driven focus, based on feedback and investigation, and an open period for
> review and discussion.
> Would this hypothetical world benefit, or be harmed, if these conversations
> happened on independent lists? My belief is that it would be harmed - that is,
> that having separate root programs operate separate lists would invite all the
> same problems that the Common CA Cert Database (aka Salesforce) is trying to
> solve, by duplicating effort and activity, without providing new or unique
> information.
> Instead, we might conclude that these independently operated programs might
> benefit from having a common, shared community review and discussion, but then
> independently declare their final results - whether to include, remove, or
> otherwise sanction or censure. This would allow involved members of the
> community a central place to discuss, publicly, and share information and
> perspectives, while also avoiding the issues alluded too earlier in the thread
> with respect to the antitrust statements of the CA/B Forum.
> Whether such a shared list has a name like mozilla.dev.security.policy or some
> new email list largely seems irrelevant, and that the status quo, by having a
> large and involved membership, might be more preferable than creating yet
> another list.
> Just a thought ;)
> _______________________________________________
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
DI Mathias Tausig,
Kompetenzzentrum für IT-Security,

FH Campus Wien,
Informationstechnologien und Telekommunikation.

Favoritenstrasse 226, Raum B.2.18,
1100 Wien, Austria.
T: +43 1 606 68 77-2472, F: +43 1 606 68 77-2139.
PGP Key-ID: 75656BBF

dev-security-policy mailing list

Reply via email to