On 7/11/2020 3:12 μ.μ., Ryan Sleevi wrote:


On Sat, Nov 7, 2020 at 4:52 AM Dimitris Zacharopoulos <ji...@it.auth.gr <mailto:ji...@it.auth.gr>> wrote:


    I will try to further explain my thoughts on this. As we all know,
    according to Mozilla Policy "CAs MUST follow and be aware of
    discussions in the mozilla.dev.security.policy
    <https://www.mozilla.org/about/forums/#dev-security-policy> forum,
    where Mozilla's root program is coordinated". I believe Mozilla
    Root store managers' minimum expectations from CAs are to _read
    the messages and understand the content of those messages_. Right
    now, we have [1], [2], [3], [4], [5], [6], [7], [8], [9]
    policy-related threads opened up for discussion since October 15th.

    If every post in these threads contained as much information and
    complexity as your recent reply to Clemens,


This seems like a strawman argument,  ht I don’t think it’s intentional.

You’re arguing that “if things were like this hypothetical situation, that would be bad”. However, they aren’t like that situation, as the evidence you provided shows. This also goes back to the “what is your desired outcome from your previous mail”, and trying to work out what a clear call to action to address your concerns. Your previous message, especially in the context of your (hypothetical) concern, reads like you’re suggesting “Mozilla shouldn’t discuss policy changes with the community”. I think we’re all sensitive and aware of the desire not to have too many parallels discussions, which is exactly why Ben’s been only introducing a few points a week, to facilitate that and make progress without overwhelming.

To the contrary, I want more people to be able to participate in these discussions, which is precisely why I "complained" about the size of your response to Clemens :-) Keeping our replies to reasonable levels, with a mindset that this is an International Internet community and people might be interested to participate (even auditors that are not native-English speakers), I believe is a good thing.

I also see that Ben has introduced a lot of policy proposal topics for discussion in a short period of time, but I don't know what the expectations about their "discussion time" are. Should anyone just pick any topic and start a discussion? That might introduce a lot of parallel discussions and I'm not sure if this is desirable by Ben. Perhaps we need some coordination on these topics, for example "please send feedback for topics 1 and 2 before the end of week X. If no feedback is received, we'll deem the proposal accepted", something like that, before moving to other topics.


As it relates to this thread, or any other thread, it seems the first order evaluation for any CA is “Will the policy change”, followed by “What do I need to do to meet the policy?”, both of which are still very early in this discussion. You’re aware of the policy discussion, and you’re aware a decision has not been made yet: isn’t that all you need at this point? Unlike some of the other proposals, which require action by CAs, this is a proposal that largely requires action by auditors, because it touches on the audit framework and scheme. It seems like, in terms of expectations for CAs to participate, discussing this thread with your auditor is the reasonable step, and working with them to engage here.

Hopefully that helps. Your “but what if” is easily answered as “but we’re not”, and the “this is a lot, what do I need to do” is simply “talk with your auditor and make sure they’re aware of discussions here”. That seems a very simple, digestible call to action?


It helps me understand your point of view but it seems that you don't acknowledge the need to keep these emails to a reasonable and digestible size, regardless if the intended recipients are auditors, CAs, Relying Parties. You seem to dismiss my point and the fact that some messages on this list have been, in fact, very long and very complicated which makes participation and contributions very difficult. I trust that we are both interested in truly meeting Mozilla's goal for an open Internet community (which includes contributions from International participants), so please help the community by trying to break down complicated responses into simpler ones, and let's all try to use shorter answers and to the point.

Indeed, this particular policy change proposal seems to mainly affect Auditors, but individual members of this community (either representing CAs or as Relying Parties) might also be interested to participate, just as Auditors and Relying Parties may participate in discussions around policy change proposals that affect CAs. FWIW, I think changing the rules for auditors also affects CAs because it creates an opportunity for CAs to have engagements with individual auditor persons, as long as they are accepted by Mozilla.

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to