Frank Hecker wrote:
Nelson B wrote:
Ian G wrote:
There is no judgement without liability, and in
the US, no liability without being sued.
I've raised this issue before, repeatedly, and Frank has always
replied that ... Well, I'll let him reply.
Straight from the metapolicy:
Ah, I see what you are getting at. Now, there are
two "projects" going on here. One is the formal one
of determining the CA ascension procedure. The other
is the "informal" one of discussing the future security
directions of the Firefox browser.
This thread started out as a discussion of revocation
and chrome improvements. The revocation has some
bearing on the ascension policy because it has been
suggested that this might suggest the "low"/"high"
metric that is sought after. But that's debatable,
my suggestion there is that the policy should not
take into account revocation.
And the chrome discussion is parallel and orthogonal
to the CA ascension policy project being run by Frank.
So having disentangled these two areas, whether MoFo
is in or out of the judgement business is an orthogonal
issue to the CA policy. However, IMHO, it is a much
more important question, and it is kind of difficult
to discuss the CA policy question cleanly without
dragging in the issues of the the security environment
of today.
Which means that all the below definately applies to
the policy ... that's fine.
But the topic still remains! What we lack is a
ruling or statement or guidance from board/counsel.
Which is an absence of an answer, not a "No."
"First, the primary risk associated with CA certificate selection is a
security risk. The legal risk is secondary, in the sense that it is a
consequence of the security risk and not vice versa; therefore the
policy should address security risks first and foremost. Second, the
people creating and implementing the policy are not in a position to
assess legal risks and attempt to mitigate them, given that a) they are
not lawyers, and b) even if they were lawyers, they would not
necessarily be in a formal attorney/client relationship with all the
parties with a stake in this policy.
"More specifically: Any legal risk to the Mozilla Foundation as a result
of this policy is for the officers and board of the Mozilla Foundation
to judge, based on advice from Mozilla Foundation counsel. This policy
will be submitted to the Mozilla Foundation for review and approval
before its formal adoption, and that's the proper time for them to do
any analysis needed and propose any desired changes to the policy."
How much money has Mozilla Foundation got?
Enough to hire real lawyers :-)
Good to hear. In my next life I want to be a lawyer.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
