Whatever policy we decide, millions of people are still going to come to ftp.mozilla.org, download Mozilla or Firefox builds and start using them for secure sites. These people expect to be safe. By weight of numbers, and in terms of Mozilla Foundation focus, they are our customers.
...
I don't follow the line of argument that says "people aren't paying us for security therefore we shouldn't provide any."
That's not an argument that I am familiar with, either :)
I think Mozilla should provide security, because it's good and useful. Not because customers are or aren't paying for it.
What is a worry is that there are many people who know enough about security to be dangerous, and these people are fond of telling others how it is done (ask me, I'll tell you...).
Sadly, many of them are wrong, but can we tell the difference? Security is a very difficult subject, it is cross-discipline, and subtle; it has active attackers whereas most other disciplines only have to deal with passive forces.
One way to protect from that influence is to *not* expect your "customers" to help too much, and to be only fairly circumspect about claims received about how this or that should be done. That's what I mean by it not being Mozilla's mission to serve this group or that group.
Meanwhile, Mozilla has both a chance and a curse - to learn how to do security. Afresh.
Just IMHO.
iang _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
