Eddy Nigg wrote:
On 11/15/2008 06:29 PM, Ian G:
<smip>
Either way we look at it, I feel that the more controls are put in
place, the more we end up putting in "paper fixes" and the more we
complicate things for a gain that we don't fully understand.
I don't perceive it as such at all. What do we not understand? There is
a very competent team at work (Kathleen, Gerv, Frank) and a few of us
here. I think the issues are fully understood.
Not to speak for Ian, but I interpreted his comments as follows: We can
add more provisions to the policy to address particular situations, but
what do we ultimately gain in terms of enhanced security for end users?
It's like adding more and more provisions to laws or regulations in
order to cover special cases, to close loopholes, and so on. Is the
extra complexity (in terms of writing the laws and regulations,
interpreting them, enforcing them, etc.) worth the trouble? And in our
case we have to remember that me, Kathleen, and others don't have
infinite time and resources at our disposal.
One of the problems is of course that no follow ups exist currently as
you correctly stated above. So far nobody has ever dedicated time to
review CAs not up for inclusion.
As I said, our time is finite.
Frank
--
Frank Hecker
[EMAIL PROTECTED]
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
