Frank Hecker wrote:
Frank Hecker wrote:
I know it's easy to believe that there's some sort of conspiracy
(e.g., between the Mozilla Foundation and commercial CAs) to keep
CAcert's certificate out of Firefox, etc., but I am not a party to
such a conspiracy.
One more point worth noting: In defending myself against the charge
that I'm part of an "anti-CAcert" conspiracy, I realize that I may
leave myself open to the charge that I'm part of a "pro-CAcert"
conspiracy. For the record, my goal of this whole policy exercise is
niether to keep putting barriers in place to keep CAcdrt out, nor to
keep bending the rules until CAcert can slip in.
It shouldn't need to be said, but I suppose it has
to in this world of aggressive bluster and threats
of favouritism leading to court appearances over
specious claims.
Rather my goal is for us to come up with a policy that a) is in line
with the overall goal of promoting security for typical Mozilla users,
b) treats CAs reasonably equally and doesn't unnecessarily
discriminate against new CAs that may not conform to the traditional
commercial PKI model, and c) can achieve at least a rough consensus
among the people who have an interest and stake in this matter.
I would order it a) security for typical users,
then b) the rough consensus. Whereas only
the rough consensus leads to further security
being delivered so these will work together.
On b) treating CAs with equality.
MF is a private organisation, with the goal
of delivering (secure) software to its users.
It owes nothing to CAs, neither fairness nor
responsibility.
The only reason to treat CAs fairly would be
if it assisted in goal a) which it may very well
do.
But there are limits. If I as a CA know that
your goal is to treat all CAs fairly, I can
abuse that (look at some of the shenanigans
that go on with antitrust suits in court in
MF's neighbourhood where ICANN maybe
by nature of its 'public role' may feel the
need to treat all contenders equally).
I don't see it as being unreasonable to drop
a CA on the grounds of it being too much
trouble to treat 'fairly'. CAs may be put out
at this, but let them make a case for why
they should be treated other than as giving
a security benefit to users.
Just IMHO!
iang
PS: For those with a political/economics leaning,
the notion of treating people in business with
equality is a sort of hangover myth from the
days of socialism, where corporations were
given monopolies in service, in exchange for
a guarunteed package of subsidies and a
requirement to treat all customer equally.
In the free market alternative, there is no
requirement to treat anyone fairly, and in
fact there are many benefits in not doing so.
For example one occasionally reads of 'firing
the expensive customers' or supermarkets
using tracking software to provide bad
service to people who are too canny to
deliver a profit.
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
