Kyle Hamilton wrote: > Without fear of delisting and decertification, CAs are running > roughshod (not just 'are going to run roughshod', but 'ARE RUNNING > roughshod'), making a farce of the process and the 'trust' in place. > Without a clear view of user security held by a majority of the > Mozilla Foundation board, everything that happens on this list with > respect to CA inclusion requests is as effective as pseudointellectual > masturbation. > > Kyle, even so part of your argument might be correct, you are doing a great injustice to some of us here, specially to the ones which bother to review the CAs. Also Frank and Gerv invest quite some time into getting this right, starting from reviewing the bugs, keeping track of all the CAs respective statuses and so forth (see http://www.mozilla.org/projects/security/certs/pending/ for example). The handling of everything related to CAs has reached levels, I believe Frank never envisioned. There is a huge amount of work to be done and in this respect I suggest that instead of ranting you lend a hand and start to influence the process.
This might perhaps surprise you, but I know of CAs which are already rejected or pending for various reasons at the bug level and aren't even considered for inclusion (of course they all have the chance to correct and/or provide whatever is missing). And just last summer a few CAs were not included after the comment period because I submitted an extensive review of the CAs in questions, backed up with facts and arguments. This isn't "pseudointellectual masturbation" (so I liked this phrase...I had a good laugh)! However there must be valid reasons and objections which must brought forward at the latest at the comment periods in order to prevent an inclusion of a CA which shouldn't be included. This comment period is very unique and I learned to appreciate the fact that the community has a chance to review the CAs put up for inclusion, before actually doing so. Conclusion: Pick on the CAs up for inclusion, read the CP/CPs, check the auditors and audits submitted, check out the root certificates, read the comments in the bugs and make your arguments. Concerning CAs which are already included and you suspect fraudulent behavior, non-adherence to the Mozilla CA policy or other issues, you should provide the information and make your voice heard. I'm not aware that you've done so lately... -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
