Nelson B wrote:
[thanks for the clarifications, snipped!]
So, if we were to file a bug asking to revert
back to the security model of the signer's
brand, that would be an easier sell?
I don't think so. Today the browser UI decisions are made by a
different set of folks than 8 years ago. Or to put it another
way, it would be an easier sell to people who don't work on
mozilla now. :)
I was afraid of that. So even if everyone in
the crypto side agrees with this, we still have
a monumental task ahead to convince the
UI team.
Some sort of cross-Mozilla coordination seems
to be needed.
Normally, this would be the job of the security
director. Where a project has a security goal,
it establishes a mandate that the security needs
can trump other needs. To coordinate and rule
on these issues, a security goal-driven project
would have a security director, who was capable
of holding up deliveries, and all sorts of draconian
things like that.
Now, I gather by absence that Mozilla has not
as yet signed up to a security goal. Probably
because it is a tough thing. (I gather FreeBSD
has a security goal, and OpenBSD's *only* goal
is security.)
In absence of that, and in absence of a cross-
organisational lead in this area, maybe a special
project like that which Frank Hecker's running?
Frank's too busy and made it clear that he's
doing the CA policy project. How do we clone
Frank? Does bugzilla have that feature?
Just musing aloud here... With an eye to the
increasing market share of Firefox based on
a perception of security and robustness...
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
