Frank Hecker wrote: > [I'm trying to catch up on these threads, my apologies for the delay. I > don't have time to respond to every message, unfortunately.]
(I understand, I also feel the pressure.) > Ian G wrote: >> If that was true, there would likely be an agreement between Mozilla >> and Verisign (following the above RPA tradition) explicitly giving >> Mozilla permission to RELY. >> >> I'm not Mozilla, so I guess we have to ask: Frank, is there any >> such agreement that explicitly gives Mozilla permission to RELY? > > We (Mozilla Foundation) do not sign explicit agreements with CAs > regarding inclusion of root certificates, and never have to my > knowledge. Whether our dealings with CAs result in an implicit > contract/agreement is a question that (as a non-lawyer) I'm not prepared > to express an opinion on. I've been thinking a lot about this, too, and have a lot to say, but this is a technical forum, and legal agreements don't compile.... Is there a better place? > Whether it's a good idea to have such agreements in future is an open > question, and I don't have any useful thoughts on it right now. However My thoughts, compressed: for the CAs, much work has been done in the past on the legal framework. The upshot, the final result, of that work is that the CA's liability to the end-user is zero. Meanwhile, users continue to rely on stuff, do stupid things, and the environment is getting worse. If they muck up and decide they want remedy, then I would fear that the legal theory of "deepest pockets" is applicable. Mozo is stuck between those two forces. So, to cut a lot of analysis short, the obvious course is to follow the "simple view" and disclaim all liability to users on the basis of using certificates. > I will say that in terms of our ongoing relationship with our users, at > least for Firefox, the relevant legal framework will be that outlined by > Harvey Anderson (general counsel for the Mozilla Corporation) in his > series of blog posts at <http://lockshot.wordpress.com/>. Any explicit > agreements with CAs would have to be consistent with that framework. Yes, I've read the last few posts on that, I think my thoughts are consistent, at least. There is a lot more to say about this... is there a forum that is better at this stuff than a technical forum? I posted a comment on the last blog entry on this topic. iang
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
