Thank you Ben, this is really helpful.

Dimitris.

On 2020-11-09 6:52 μ.μ., Ben Wilson via dev-security-policy wrote:
Hi Dimitris,

I intend to introduce the remaining discussion topics over the next three
weeks. I did not announce an end to the discussion period on purpose, so
that we can have as full of a discussion as possible. Also, in the next
three weeks, I intend to start summarizing the discussions and coming up
with new suggested language on those issues that have been discussed. I
expect that during December we will start to solidify the amendments to
MRSP (v.2.7.1), and that in January I'll announce a "last call" on the
amendments. Following that I will "summarize a consensus that has been
reached, and/or state the official position of Mozilla" - see
https://wiki.mozilla.org/CA/Updating_Root_Store_Policy.

Part of the discussion that will still need to take place deals with
implementation deadlines, timing, etc. Let's discuss that now for the
non-controversial items, and then in late December / early January for
those that are more contentious (assuming they remain in this batch of
changes).

Sincerely yours,
Ben Wilson
Mozilla Root Store


On Mon, Nov 9, 2020 at 2:45 AM Dimitris Zacharopoulos via
dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:


On 7/11/2020 3:12 μ.μ., Ryan Sleevi wrote:

On Sat, Nov 7, 2020 at 4:52 AM Dimitris Zacharopoulos
<ji...@it.auth.gr <mailto:ji...@it.auth.gr>> wrote:


     I will try to further explain my thoughts on this. As we all know,
     according to Mozilla Policy "CAs MUST follow and be aware of
     discussions in the mozilla.dev.security.policy
     <https://www.mozilla.org/about/forums/#dev-security-policy> forum,
     where Mozilla's root program is coordinated". I believe Mozilla
     Root store managers' minimum expectations from CAs are to _read
     the messages and understand the content of those messages_. Right
     now, we have [1], [2], [3], [4], [5], [6], [7], [8], [9]
     policy-related threads opened up for discussion since October 15th.

     If every post in these threads contained as much information and
     complexity as your recent reply to Clemens,


This seems like a strawman argument,  ht I don’t think it’s intentional.

You’re arguing that “if things were like this hypothetical situation,
that would be bad”. However, they aren’t like that situation, as the
evidence you provided shows. This also goes back to the “what is your
desired outcome from your previous mail”, and trying to work out what
a clear call to action to address your concerns. Your previous
message, especially in the context of your (hypothetical) concern,
reads like you’re suggesting “Mozilla shouldn’t discuss policy changes
with the community”. I think we’re all sensitive and aware of the
desire not to have too many parallels discussions, which is exactly
why Ben’s been only introducing a few points a week, to facilitate
that and make progress without overwhelming.
To the contrary, I want more people to be able to participate in these
discussions, which is precisely why I "complained" about the size of
your response to Clemens :-) Keeping our replies to reasonable levels,
with a mindset that this is an International Internet community and
people might be interested to participate (even auditors that are not
native-English speakers), I believe is a good thing.

I also see that Ben has introduced a lot of policy proposal topics for
discussion in a short period of time, but I don't know what the
expectations about their "discussion time" are. Should anyone just pick
any topic and start a discussion? That might introduce a lot of parallel
discussions and I'm not sure if this is desirable by Ben. Perhaps we
need some coordination on these topics, for example "please send
feedback for topics 1 and 2 before the end of week X. If no feedback is
received, we'll deem the proposal accepted", something like that, before
moving to other topics.

As it relates to this thread, or any other thread, it seems the first
order evaluation for any CA is “Will the policy change”, followed by
“What do I need to do to meet the policy?”, both of which are still
very early in this discussion. You’re aware of the policy discussion,
and you’re aware a decision has not been made yet: isn’t that all you
need at this point? Unlike some of the other proposals, which require
action by CAs, this is a proposal that largely requires action by
auditors, because it touches on the audit framework and scheme. It
seems like, in terms of expectations for CAs to participate,
discussing this thread with your auditor is the reasonable step, and
working with them to engage here.

Hopefully that helps. Your “but what if” is easily answered as “but
we’re not”, and the “this is a lot, what do I need to do” is simply
“talk with your auditor and make sure they’re aware of discussions
here”. That seems a very simple, digestible call to action?

It helps me understand your point of view but it seems that you don't
acknowledge the need to keep these emails to a reasonable and digestible
size, regardless if the intended recipients are auditors, CAs, Relying
Parties. You seem to dismiss my point and the fact that some messages on
this list have been, in fact, very long and very complicated which makes
participation and contributions very difficult. I trust that we are both
interested in truly meeting Mozilla's goal for an open Internet
community (which includes contributions from International
participants), so please help the community by trying to break down
complicated responses into simpler ones, and let's all try to use
shorter answers and to the point.

Indeed, this particular policy change proposal seems to mainly affect
Auditors, but individual members of this community (either representing
CAs or as Relying Parties) might also be interested to participate, just
as Auditors and Relying Parties may participate in discussions around
policy change proposals that affect CAs. FWIW, I think changing the
rules for auditors also affects CAs because it creates an opportunity
for CAs to have engagements with individual auditor persons, as long as
they are accepted by Mozilla.

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to