Ryan, can you tell us something about Google's plans concerning WoSign and StartCom?
cheers Mathias On Son, 2016-10-16 at 11:55 -0700, Ryan Sleevi wrote: > On Saturday, October 15, 2016 at 3:18:22 PM UTC-7, Eric Mill wrote: > > > > On Sat, Oct 15, 2016 at 4:31 AM, Peter Gutmann <pgut...@cs.auckland.ac.nz> > > wrote: > > > > > > > > The only one who's openly addressed this > > > seems to be Mozilla. > > > > > It would certainly be nice if Mozilla weren't the only openly operated root > > program. :) > > > > It seems to put Mozilla in the situation of being the effective first-mover > > whether they want to be or not, since they're the only entity hosting > > public discussions about what to do. It certainly felt that way with > > WorldPay, and Ryan's comments to Kathleen in the other thread about whether > > Mozilla could be more aggressive with WoSign if they knew they were not > > going to be saddled with first/only-mover disadvantage seems to point to > > this dynamic as well. > To be clear: I don't think the fact that this is happening on > mozilla.dev.security.policy is enough to suggest that there aren't > open/transparent programs, or that it's limited to Mozilla's response. > > Imagine a hypothetical world where there were multiple, independently approved > root programs - that is, that the software vendor retains final choice in > deciding to include/not include a given certificate. Let's say that these > programs also adopted the principles that Mozilla has - of having a community > driven focus, based on feedback and investigation, and an open period for > review and discussion. > > Would this hypothetical world benefit, or be harmed, if these conversations > happened on independent lists? My belief is that it would be harmed - that is, > that having separate root programs operate separate lists would invite all the > same problems that the Common CA Cert Database (aka Salesforce) is trying to > solve, by duplicating effort and activity, without providing new or unique > information. > > Instead, we might conclude that these independently operated programs might > benefit from having a common, shared community review and discussion, but then > independently declare their final results - whether to include, remove, or > otherwise sanction or censure. This would allow involved members of the > community a central place to discuss, publicly, and share information and > perspectives, while also avoiding the issues alluded too earlier in the thread > with respect to the antitrust statements of the CA/B Forum. > > Whether such a shared list has a name like mozilla.dev.security.policy or some > new email list largely seems irrelevant, and that the status quo, by having a > large and involved membership, might be more preferable than creating yet > another list. > > Just a thought ;) > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy -- DI Mathias Tausig, Kompetenzzentrum für IT-Security, FH Campus Wien, Informationstechnologien und Telekommunikation. Favoritenstrasse 226, Raum B.2.18, 1100 Wien, Austria. T: +43 1 606 68 77-2472, F: +43 1 606 68 77-2139. mathias.tau...@fh-campuswien.ac.at PGP Key-ID: 75656BBF _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy