On 27/12/08 00:53, Eddy Nigg wrote:
On 12/27/2008 12:54 AM, Ian G:
We can no more "prevent" bad certs than we can stop the winter from
coming. The point is to put in place economically reasonable policies
and practices that meet an appropriate balance of security versus cost.
Yeah right! It really depends what the right balance is, ehhh?!
There is no "right balance" just like there is no world peace. Security
is an economic phenomena, not a beauty pageant.
So far the systems are dealing with it. Check the facts: CA was
notified. Reseller frozen. Certs revoked. Internal audits are checking.
External audit might get involved. This is what the systems are supposed
to do.
The story starts before that. You are just seeing the tail, I'm seeing
what preceded to that - or better, what did not happen and should have.
That "earlier story" has no real place here, IMHO. This is a forum for
the discussion of technical, crypto, root and general PKI issues, by
either dictat or convention. It is not a forum for the airing of
general business complaints.
https://lists.mozilla.org/listinfo/dev-tech-crypto
I elsewhere mentioned there is no general mechanism for dispute
resolution, your "earlier story" might be a case in point. Or might
not. Either way, here is not the place to grumble about practices of
other businesses.
However, outside that week, there is no such protection. Where people in
this group have crossed the line, and made actionable statements, and/or
done actionable harm to a business or individual, they should note: it
is unlikely that Mozilla, or the community, or the businesses as a whole
will, can or should protect them.
Are you speaking in the name of Mozilla? Or in the name of the
community? Or in the name of which business exactly?
Having appreciated this point, a more interesting one is whether we as a
community think about opening up the processes for more open governance,
more open scrutiny, more stakeholder checking [1].
There seems to be an emerging consensus that more open is more better,
in general at least.
Would we be in a position to explore a general opening of all auditing
investigations and controls [2] ?
E.g., where Comodo or any CA completes an internal audit and creates a
report to document that audit action, could we expect the CA or the
internal auditor to publish this as a routine action?
iang
[1] My thanks to Robin for underscoring that observation! I had to
kick myself for failing to see it.
[2] Plausibly, such a proposal will not be accepted in time for the
current case to be effected, but that's fine as this is a forum of
improving processes, not dispute resolution.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
