Frank, Thanks for all your good work on this policy! It is certainly path-breaking stuff.
I have some thoughts on point 12 (reproduced below for ease of debate). I understand and accept the central thrust of the point: that the policy needs to go ahead in advance of any technical features that we might bemoan the lack of. But, I have moved to the view (through the debates held here in the last month or so) that the policy is, at its very core, weakened by the "one size fits all" bug. In fact, I think it is so severely weakened as to be compromised (as presented, or even as modified, in any conceivable way). I.e., it will not achieve that quiet satisfied path to implementation that we might have hoped for, but will result in continual pressures to revise and revisit. This is in part reflected in the difficulty in achieving consensus. Rather than challenge the essence of point 12, however, I wonder if the thing to do might be to draft an additional, separate, recommendation to the Mozilla Board that outlines the flaw, the way it effects the policy and some other areas such as security, and recommendations for solutions. Such an additional, detached but aligned recommendation could permit meeting the original mandate, and also not lose the information and consensus built up on the list (at some cost in time and thought cycles to participants). It would also seem to be an appropriate way to get through the logjam of "it's a UI issue, not a crypto issue..." Thoughts (any, from anyone) ? iang Extract from: http://www.hecker.org/mozilla/ca-certificate-metapolicy/ 12. The creation or implementation of the policy should not depend on new Mozilla features being developed that are not already present in the current released versions. Rationale: The Mozilla project depends on volunteer efforts for a large portion of Mozilla development. Where people are in fact paid to do Mozilla development, it is usually to develop features of interest to their employers, and not anything else. Thus even though it might be nice to have new Mozilla features relating to CA certificates we have no guarantee that such features will be developed in a timely manner, or developed at all. On the other hand we need a policy now, since we are building a backlog of requests from CAs who'd like to have their certificates included, and we need to address those requests one way or the other. Therefore we shouldn't wait for new Mozilla features, but should create and implement the policy in the context of current Mozilla functionality. Note that this means that for the most part we have to live with the "one size fits all" problem where all pre-loaded CA certificates in Mozilla are treated essentially identically. Although it would be nice to have features like grouping CAs into different categories for purposes of trust, providing CA "branding" for viewing by users, and so on, we do not have the luxury of delaying the policy until such features are available. _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
