My point is simply this: Every time someone has suggested making NSS independently configurable, every time someone has stated that providing a means for system administrators to provide additional root certificates (particularly in situations where user profiles already exist and should not be bothered), and every time someone has suggested adding an additional system-wide root store, Nelson et al have directed the requestor to the Client Customization Kit -- even after it was apparent that the CCK was not being updated any longer.
The need has been put forward. The requirement has been made plain. I don't know how else to describe it. I should also note that I can't even figure out what group is responsible for the changes that need to be made to make it possible -- much less understand the code base enough to create the patch myself. I also have severe doubt, from the comments that the people required to approve such a patch on this list, that any patch I would submit would be approved. I've been trying to figure out a way to proceed, trying to figure out a way to build consensus (granted, this is something I'm extremely poor at), trying to figure out what changes would be acceptable to the Powers That Be. Sure, there's nothing wrong with getting my hands dirty -- except that without any indication that the Powers That Be would be willing to change their stances, it would be futile, and it would simply be One More Wasted Effort. -Kyle H On Sun, Aug 24, 2008 at 1:32 AM, Gen Kanai <[EMAIL PROTECTED]> wrote: > On Aug 24, 2008, at 11:29 AM, Kyle Hamilton wrote: > >> I'm rather appalled that you are ignoring the realities of >> US government user requirements. I can state with enough knowledge of >> regulation and policy behind me that I believe that it is primarily >> due to your lack of acknowledgement of the requirements in-place that >> Firefox has not enjoyed greater US government agency penetration. > > Mozilla's goal, since the beginning of the project, has been to > provide free and open source software to end-users, specifically > consumers who did not have a choice for browsers after the demise of > Netscape. That said, there's always more to do, and there's nothing > stopping anyone from contributing in order to make Firefox better for > any government. Fwiw, Firefox has users in government agencies around > the world (including the French Gendarmerie Nationale.) > > http://www.forbes.com/2006/02/06/ballmer-microsoft-france- > cx_cn_0206autofacescan03.html Go France. Too bad the US has a Congressional mandate. >> Simply put, the CCK is not an option for people who prefer to use >> Firefox 3, or for anyone who wishes to use or deploy any other Mozilla >> product. For most people it has been recommended to, it never truly >> was an option. > > It is a shame that the CCK isn't updated and isn't more widely used, > but there's nothing stopping anyone, including developers from just > about any government, from putting efforts into the CCK. It's also completely irresponsible to point people who are trying simply to use and support Firefox in their organizations to a tool that doesn't even work -- to have to try to dedicate time to improving the tool to make it possible. I thought the goal was to increase the usage of Firefox and make it possible to exist in places it currently doesn't, not force people to misuse their employers' time to make it happen. >> I respect your tenacity, MisterSSL, but I sincerely hope that you >> realize that it is solely YOUR office and YOUR office's mandates -- >> mandates which you have repeatedly been requested to change, each and >> every request completely ignored and the requestor directed to >> something which cannot meet their needs -- which is preventing wider >> adoption of Firefox, Thunderbird, and all other Mozilla Foundation >> products. > > > In my opinion, it is exactly _because_ of the efforts and leadership > of the NSS team, Nelson, Wan-Teh, Bob Relyea, Bob Lord, Kai Engert, > and all of the NSS module owners (as well as other Mozilla modules) > and contributors world-wide, that Firefox has over 200 million users > worldwide and is the second most popular browser behind the convicted > monopolist from Redmond, WA, USA. > > That the US Government chooses to use software from the very company > that the US DoJ itself indicted is beyond my comprehension. Show me a desktop OS with an integrated FIPS-validated cryptographic system, and I'll show you a desktop OS from Microsoft. It's not a "choice", per se -- the US Government is split into 3 branches, and 2 of those branches are required under the document that forms the federal government to adhere to the mandate handed down from the third. The DoJ is in one of them, and the Judiciary is in the other -- with the Legislative branch being the one to create the mandate entirely. > http://www.usdoj.gov/atr/cases/f3800/msjudgex.htm > > http://en.wikipedia.org/wiki/United_States_v._Microsoft Nice links, but irrelevant. > Does Mozilla have more to do? Yes. > > Is there anything stopping anyone from contributing? No. Er, I must disagree. US government employees are generally precluded from interfering in commercial affairs. They cannot compete against private enterprise; they cannot involve themselves in any private enterprise that would provide even a hint of "favoritism". There /is/ something stopping those who understand best what the needs are from contributing. > Should we expect the module owners, who already have responsibilities > for supporting goals more important than "US government agency > penetration" to drop what they are doing in order to do that? I'll > leave that to your own conclusion. I've already made up my mind on > this issue. If it were solely US government agency penetration that I was worried about, I'd cede the point. However, it's not merely US government agency penetration, it's US corporate penetration. The University of Phoenix, for example, uses a MITM proxy for all SSL/TLS connections. From their corporate network, a connection to https://www.bankofamerica.com/ actually shows (if the user actually cares to look) a certificate issued to '*'. This is a direct result of their corporate counsel's reaction to the Buckley amendment, requiring full auditing capability of every communication from their corporate network to ensure that private educational data is never released improperly. To the best of my knowledge, they create a profile which is copied into every user's home directory at user creation. The fact is that the module owners (and teams working thereon) are doing their best to do things pedantically correctly. This is laudable. But, without realizing that their idealism is preventing administrative pragmatism -- if it's cheaper in the long run to allow a policy to be centrally set without having to train on and deploy new tools -- every bean-counter in the world is going to go for the long-term cheaper option. It is this which continues to make IE the dominant browser. The worst part about it? I have seen nothing to suggest that either the NSS team nor the PSM team would accept any changes which would make it easier for the software to be centrally administered and configured. -Kyle H _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
