Nelson B wrote:My point is this. The BUG TRACKING system is not a place for advocacy of any kind, on topic or off. It is a place for technical issues to be disucssed. If there was a technical problem with adding one of the proposed CA certs to the trust list, the bug would be the right place for it to be discussed, because the discussion would help the assignee of the bug to solve the technical problem. That's what the bug tracking system is for. NOT FOR ADVOCACY.
I think your use of the "technical" vs. "advocacy" dichotomy is somewhat misleading.
After writing this I realize I did you a disservice by not explaining exactly why I think the distinction between "technical" vs. "advocacy" comments in Bugzilla is a misleading distinction in this context. My apologies.
Here's what I meant: When you get assigned a bug about (for example) Mozilla not properly recognizing a particular certificate, this really is a technical issue for the most part; in all (or almost all) cases this bug is ultimately resolvable into either a bug in Mozilla or a problem in the certificate itself. There might be some side discussion about where the certificate format is really correct or incorrect, perhaps given some ambiguity in the relevant specification, but at heart this is a technical issue and "advocacy" comments are for the most part inappropriate and out of place.
However when I (or whomever) get assigned a bug about adding a particular CA's root cert, then even if there's a defined policy the decision is ultimately going to be (to a significant extent) a judgement call based on perceptions of the risk/benefit tradeoffs for that particular CA. These perceptions are a function of the opinions and beliefs of the person who makes the decision and of the people who participate in the discussion and provide input to the decision, and to the extent that people put forth those opinions they're engaging in a form of advocacy. So in this sense I think that "advocacy" is natural and appropriate in this context, as long it's on topic as I noted previously.
Now I guess we could try to remove this possibility for advocacy and try to make decisions about CA cert inclusion more like decisions about technical features, by arranging things so that there's a definitive "right" answer. For example, we could make the decision very cut and dried by automatically approving any CA with WebTrust endorsement and automatically rejecting any CA without it. Not much need for judgement there, at least on our part.
I don't happen to think that is the best approach for the Mozilla project, for reasons I've discussed at length elsewhere. However I do recognize that it makes decisions easier and quicker, and given the time delays we've had here it's certainly tempting to employ it in certain cases; see my next message.
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
