The meta-message Nelson's post gives me is that we would be highly foolish to ignore his expertise and experience and implement a CA certificate policy with which he was unhappy.
Gerv, if you review the discussions on n.p.m.crypto over the past few months, plus the iterated drafts of the proposed CA certificate policy, I believe you will find that I have tried to address Nelson's concerns as well as those of others who have participated in the discussion. (And if Nelson or anyone else believes that this is not the case, then they are perfectly welcome to speak up and say otherwise, either in this forum or through private communication to you and others on mozilla.org staff. I don't mind people complaining if they believe they have valid complaints, and in fact I encourage people to do so.)
However the problem is (and I don't mean to single Nelson out in this regard) that we can't have a policy that basically amounts to "we will approve or reject a CA based on how happy Nelson (or Gerv, or Frank, or whoever) is with including it". IMO we have to have a policy that takes the concerns people have and transforms them into policy guidelines that can be reasonably applied without resorting to too much personal subjectivity, and can be justified as reasonable given the circumstances in which we find ourselves.
That is why I am trying to pin down people (including Nelson, but others as well) as to the exact nature of their concerns and how exactly those concerns might be reflected in policy. I can understand if as a result some might perceive me as being skeptical or dismissive of people's concerns. I certainly don't mean to be dismissive, but I will definitely plead guilty to being skeptical at times--not to be contrary but rather to try to get clarity on the various questions at issue here.
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
