I think it is a mistake to create a policy that favours those who can't look after themselves. Here's some quick reasons why.
1. Mozilla Foundation is not a utility, nor a public service. It's not a charity nor a group of do-gooders.
MF is a software group. It's aim, presumably, is to create good software, where good is not tightly defined.
Or, good is defined by the developer of the moment. If he or she says security for the NSA is good, then that's what it is. If told to favour the needs of some politically correct group over another out-of-favour group, all that will be achieved is that the developers will be distracted from their mission, which is to create good software, using their definition.
2. There is nothing wrong with the developers deciding to release versions tuned to typical users, and nothing wrong with them also doing the same for "big business / government / military." The policy shouldn't dictate that one way or another.
3. It should be MF's policy to protect developers from the undue influence of businesses, governments, charities, do- gooders and other people who wish to influence the actions of those that do the work.
4. Who the software is created for is an open question, and it is strictly and definitively answered by the concept of open source - the software is created for anyone who can follow the rules in the licence.
To pick one disadvantaged group and prepare ones software for them, at a policy level, is an error. Once people start relying on the software, they will ... rely on the software, which leaves someone on the hook.
5. If there is a typical user who cannot make security choices for themselves, that user can always refrain from using Mozilla, and can always purchase a paid and insured product from a supplier that looks after them. There are suppliers who can and do and want to sell these people software - with the appropriate security choices made, and it's not clear why it would be a "good thing" to provide protection to these people for free.
6. Alternatively, there already exists a general invitation for those users to come on over and try products like Mozilla. But, the usage should be on MF's terms, and not include any particular promises or preferences that the developers aren't explicitly happy with, on a release by release basis.
If such users want protection on their terms, they have a marketplace already, where they can buy the coverage and protection they need.
> 6. The risks taken into consideration in the policy's creation and > implementation should be the security risks incurred by the "typical" > Mozilla user,
I would say that
"where security decisions need to be made,
greater weight may be given to the 'typical' Mozilla user,
as determined from time to time by the developers and
implementors. This may be an "individual user", or may not
be; the Foundation leaves the decisions for each release to
the implementors."iang
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
