Hi Nelson and everybody else...thanks for the constructive answer...
Nelson Bolyard wrote:
Is this the way things would be done at Mozilla for the implementation
of this proposal?
I think you need to investigate and report on the feasibility of your proposal.
OK (But why do you think it's "you" and not "we"? Aren't you interested
in fixing something broken? Or is everything just fine and doesn't need
improvement?)
In particular, I think you ought to find out what is the likelihood of either:
a) mozilla agreeing to do all this evaluation of their CAs, or
I didn't suggest that and answered this various times how this could work...
b) a significant percentage of the CAs agreeing to do this as self-evaluation.
Also here I provided a solution (by having CAs sign up to the Mozilla CA
policy, something which should be done in any case).
I suspect neither of those has very high probability. Consider:
- I'm pretty sure mozilla foundation wants to stay out of the CA judgment
business. Executive Director Frank Hecker has consistently said so.
Right, I agree and said that as well...our proposal nowhere even
suggests it...
- Mozilla's market share just isn't high enough any more for it to be able
to impose this on the CA industry.
I don't know if this was a typo of yours ("/high enough any more/"??),
but I believe, that Mozilla is today in a very good position to help
improve some things. Our proposal isn't some brutal intervention on the
CA business, but rather an adoption of current CA practice. The
difference would be, that the browser will know more about verification
levels. I don't think that this is "imposing" anything on anybody....
The CA industry has been wrestling with
this issue for over 2 years now, and the best they've done so far is to
come up with the EV proposal, which still isn't approved by the full CA/B
Forum membership (even though most of them are now following it).
:-(
However at this stage I want to make an interim statement concerning the
proposal we put forward:
I made a first step by putting this proposal on the table. I also tried
to answer any question and explained the general idea. I also found a
lot of common ground for it and many seem to agree. I believe, even if
it's not perfect and there might be some problems which we'll have to
solve and also make some compromises - it's the best thing we can do,
if taking into account all facts, forces and probabilities. This step is
perhaps the right thing and is maybe overdue for a long time....and
wasn't done for whatever reasons (IE monopole and stagnation?).
But we are not going to push it much further...The Mozilla community and
the people involved here can come to a decision...if this proposal can
be worked on and can be a better solution for the current problem. You
can make it yours, take it, improve it, refine it, implement it. I'll be
glad to invest and find solutions for whatever challenge arises with it
and I'm sure there are [solutions to it]. I'll be glad to advise,
suggest, warn or whatever, because we are simply interested in it. This,
because whatever EV offers isn't enough, solves maybe one problem, but
creates also some others, including one which affects us directly...We
can all try to work for a real improvement or simply keep our heads
down....or instead of leading, being led by others...The decision is
yours! And now read this again:
The CA industry has been wrestling with
this issue for over 2 years now, and the best they've done so far is to
come up with the EV proposal, which still isn't approved by the full CA/B
Forum membership (even though most of them are now following it).
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
