Re: [FORGED] Re: SSL Certs for Malicious Websites

[Gervase Markham]

On 27/05/16 13:20, Peter Gutmann wrote:
> Apart from the lucky CAs who have been given government-
> mandated monopolies, would any CA still exist today if there weren't a need to
> pay someone to turn off the browser warnings?

It depends what alternative configuration-free idiot-proof secure
communications technology you have invented in your fantasy world to
take its place.

Whatever the disadvantages of the current system, it must be recognised
that it provides the ability for every single Internet user to have
their communications with any website that opts-in encrypted on the wire
without them having to do, know or configure _anything_. That's huge.

Gerv

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Job: Is it OK to post a job listing in this forum?

[Peter Kurrasch]

I'm opposed to allowing job postings in this forum. The focus should be policy 
as that is the reason we have gathered here.

Job postings generally are intended for people in a particular country ‎with a 
particular level of experience who are actively seeking or receptive to a new 
job. Sending out off-topic messages that are intended for a subset of a subset 
of a subset of people here sounds like spam to me.



  Original Message  
From: Kathleen Wilson
Sent: Thursday, May 26, 2016 5:17 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Job: Is it OK to post a job listing in this forum?

Hi All,

I have been asked if it is OK to post job listings in 
mozilla.dev.security.policy. Surprisingly, I don't recall ever being asked that 
question before, and I am not aware of a written policy about the content of 
postings to mozilla.dev.security.policy.

So, here is a proposal:
~~
Jobs may be posted if they meet the following criteria:
* The company/organization name is clearly listed
* The person posting the job information actually works for that 
company/organization and is not a contracted recruiter
* A single posting only (for each job opportunity)
* The person posting the job info is actively engaged in this 
mozilla.dev.security.policy forum
* The job opportunity is a role relevant to the forum's audience
* The posting consists of a paragraph outline and a "read more" URL
* The Subject of the posting begins with "Job: " 
~~

Does that sound reasonable?

As always, I will appreciate thoughtful and constructive input.

Thanks,
Kathleen


___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: [FORGED] Re: SSL Certs for Malicious Websites

[Peter Gutmann]

Ryan Sleevi  writes:

>This seems both off-topic and not productively addressing the topic at hand.

Yeah, maybe it's best taken to another list like cypherpunks or the crypto
list.  It was intended as an honest, and probably pretty blunt, assessment of
the state of HTTPS: It was introduced to build consumer, and merchant,
confidence in using the Internet for business, killing the competing SET in
the process, and it's succeeded in doing that.  Once that was done, which
happened about 15-20 years ago, its main role became perpetuating the
existence of CAs.  Apart from the lucky CAs who have been given government-
mandated monopolies, would any CA still exist today if there weren't a need to
pay someone to turn off the browser warnings?

Peter
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Job: Is it OK to post a job listing in this forum?

[Gervase Markham]

On 27/05/16 04:09, David E. Ross wrote:
> I would have several concerns, mostly about Mozilla's ability to verify
> the criteria are met and the effort to do that verification.  For
> example, how would anyone here verify the following?

This is partly why there is an important criterion that jobs only be
posted by people who are already active forum participants. If jobs can
only be posted by people we know, we hope that will avoid the "gaming of
the rules" scenarios.

> If this is a valid use of news.mozilla.org, then perhaps a new MODERATED
> newsgroup would be appropriate.  However, that would still require
> assigning staff to moderate and monitor the postings, for which there
> would be a cost.

There is already a mozilla.jobs forum; however, the traffic is near-zero
and I suspect few if any members of this forum are also members there,
so posting there would be pointless. If having a separate forum has not
worked in practice, I think it's reasonable to try the integrated
approach if we can make sure we don't get the more obvious forms of
abuse, at least.

Gerv



___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy