On Oct 24, 2019, at 12:36 PM, Phillip Hallam-Baker via dev-security-policy <[email protected]> wrote: > > Eric, > > I am not going to be gaslighted here. > > Just what was your email supposed to do other than "suppressing dialogue > within this community"? > > I was making no threat, but if I was still working for a CA, I would > certainly get the impression that you were threatening me. > > The bullying and unprofessional behavior of a certain individual is one of > the reasons I have stopped engaging in CABForum, an organization I > co-founded. My contributions to this industry began in 1992 when I began > working on the Web with Tim Berners-Lee at CERN. > > > The fact that employees who work on what is the third largest browser also > participate in the technical and policy discussions of the third largest > browser which is also the only multi-party competitor should be a serious > concern to Google and Mozilla. It is a clear anti-Trust liability to both > concerns. People here might think that convenient, but it is not the sort > of arrangement I for one would like to be having to defend in Congressional > hearings. > > As I said, I do not make threats. My concern here is that we have lost > public confidence. We are no longer the heroes we once were and politicians > in your own party are now running against 'Big Tech'. We already had DoH > raised in the House this week and there is more to come. We have six months > at most to put our house in order.
[PW] +1 on everything said by Phil. I particularly like "We are no longer the heroes we once were”. The fact that Phil stopped contributing to the CABForum due to one bully means industry loses out - I’ve noticed a massive decline in participation from many members - some of them for the same reason as I told me in private. I’d like to add that I’ve only met Phil once, when we were both speakers at the W3C WWW2006 conference. I showed him a Firefox add-on with visual indicators for search engines, and he explained to me the concept of a URL bar that would turn green (set aside accessibility challenges with color-only for now) so users can avoid counterfeit websites. I was blown away by the idea and by the possible implementations with browsers. How could a user possibly fall for a deceptive website?! It’s ***2019*** and people falling for deceptive websites and dangerous URIs is the #1 problem in cybersecurity - and it’s getting worse. But alas, browser vendors didn’t design the UI/UX in the way it was expected. And instead of iterating the UI/UX based on user feedback until product/market fit was achieved, vendors decided to remove it all. And instead of looking inward to see what they could have done better, they blame the companies that simply provided the information for them to displayed in their UI. There is zero data from any company to prove that browser UI for website identity can’t work. I could write a white paper on why it didn’t work and why it can’t work based on how it *was* implemented. This is not research - this is confirmation bias. There isn’t a single successful product or feature that didn’t require iteration. So, the next time a person says “EV is broken” or “website identity can’t work” please think about what I just said and imagine actual browser designers and developers who were/are responsible for that work. They were never given a chance to get it right. I don’t work for a CA and never have. But I’m sick and tired of the bullying tactics from some individuals who work for major players - it’s toxic. *Not* referring to you Eric :) If we want to discuss CA marketing/sales and verification processes then let’s do that - *separate* to browser UI implementations. And here’s what’s almost funny, we’re going to see the very same mistakes made for email. Everyone involved in BIMI [1] asserts that it has nothing to do with security - it’s all about marketing. Yet almost everything in regards to benefits and execution is security related. There about to make all the same silly mistakes over again. https://bimigroup.org <https://bimigroup.org/> Regards, - Paul > > > > On Thu, Oct 24, 2019 at 12:29 PM Eric Mill <[email protected]> wrote: > >> Phillip, that was an unprofessional contribution to this list, that could >> be read as a legal threat, and could contribute to suppressing dialogue >> within this community. And, given that the employee to which it is clear >> you are referring is not only a respected community member, but literally a >> peer of the Mozilla Root Program, it is particularly unhelpful to Mozilla's >> basic operations. >> >> On Wed, Oct 23, 2019 at 10:33 AM Phillip Hallam-Baker via >> dev-security-policy <[email protected]> wrote: >> >>> On Tue, Oct 22, 2019 at 7:49 PM Matt Palmer via dev-security-policy < >>> [email protected]> wrote: >>> >>>> On Tue, Oct 22, 2019 at 03:35:52PM -0700, Kirk Hall via >>>> dev-security-policy wrote: >>>>> I also have a question for Mozilla on the removal of the EV UI. >>>> >>>> This is a mischaracterisation. The EV UI has not been removed, it has >>> been >>>> moved to a new location. >>>> >>>>> So my question to Mozilla is, why did Mozilla post this as a subject >>> on >>>>> the mozilla.dev.security.policy list if it didn't plan to interact >>> with >>>>> members of the community who took the time to post responses? >>>> >>>> What leads you to believe that Mozilla didn't plan to interact with >>> members >>>> of the community? It is entirely plausible that if any useful responses >>>> that warranted interaction were made, interaction would have occurred. >>>> >>>> I don't believe that Mozilla is obliged to respond to people who have >>>> nothing useful to contribute, and who don't accurately describe the >>> change >>>> being made. >>>> >>>>> This issue started with a posting by Mozilla on August 12, but despite >>>> 237 >>>>> subsequent postings from many members of the Mozilla community, I >>> don't >>>>> think Mozilla staff ever responded to anything or anyone - not to >>> explain >>>>> or justify the decision, not to argue. Just silence. >>>> >>>> I think the decision was explained and justified in the initial >>>> announcement. No information that contradicted the provided >>> justification >>>> was presented, so I don't see what argument was required. >>>> >>>>> In the future, if Mozilla has already made up its mind and is not >>>>> interested in hearing back from the community, it might be better NOT >>> to >>>>> start a discussion on the list soliciting feedback. >>>> >>>> Soliciting feedback and hearing back from the community does not require >>>> response from Mozilla, merely reading. Do you have any evidence that >>>> Mozilla staff did not, in fact, read the feedback that was given? >>>> >>> >>> If you are representing yourselves as having an open process, the lack of >>> response on the list does undermine that claim. The lack of interaction on >>> that particular topic actually speaks volumes. >>> >>> Both parties in Congress have already signalled that they intend to go >>> after 'big tech'. Security is an obvious issue to focus on. While it is >>> unlikely Mozilla will be a target of those discussions, Google certainly >>> is >>> and one employee in particular. >>> >>> This is the point at which the smart people are going to lawyer up. >>> _______________________________________________ >>> dev-security-policy mailing list >>> [email protected] >>> https://lists.mozilla.org/listinfo/dev-security-policy >>> >> >> >> -- >> Eric Mill >> 617-314-0966 | konklone.com | @konklone <https://twitter.com/konklone> >> > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
