On 30/12/08 23:25, Gervase Markham wrote:
Ian G wrote:
A tightly closed membership, oriented to CAs in their chosen segment. As
CAs, they incline towards including two other groups, being the upstream
audit organisations who provide the WebTrust, and the downstream
browsers who consume the WebTrust.
Which is not unexpected. A group concerned with CA certificates will
have members who provide the certificates, and members who consume them.
(Browser vendors - they use them to provide trust indicators or other
user interface to their users.)
However, they include no other stakeholder groups. Of especial concern,
nobody who speaks for the end-user, even though they clearly intend as a
group to sell to these end-users.
Certainly not selling "as a group" - several CAs are very touchy about
anti-trust. :-)
Certainly they will say that in words :)
We (the browser vendors) like to think we speak for the end users.
We all like to think it, but it is harder than we think :)
We all generally speak for our own interests. For e.g., Microsoft, it
is revenues (and to their credit, they state that in the CA policy
directly).
My personal view of Mozilla is this: the ecosystem is developer-led.
When Mozilla speaks, it is for the developer, or as a developer
speaking. It has a great deal of difficulty thinking outside the
developer box. There are quite a few positive points which improve this
situation, and Mozilla has been working for a couple of years to deal
with the bias: a good set of managers who aren't developers; a mission
that clearly identifies the end-user, a vocal community. These are good
starts, but my view is that Mozilla speaks as developers, and not for
the end-user.
Others will no doubt speak about how they view me :) Even I find it
hard to disentangle the unclear interests in my person: CAcert, audits,
security, end-users, architecture, finance, world peace......
Given such a structure, it is hard to see how they can avoid the fate of
protecting the franchise. Although I'm sure they do careful work in
documenting the current thinking,
OK so far, probably. EV guidelines is a good documentation.
it is not reasonable to expect them to
do new thinking and to think about the new threat environment,
This bit should be clear; no CA can change the security environment of
PKI (Verisign was trying to do it for years, trying the same things as I
talk about and other security people talk about, but the structure
doesn't support change).
nor to
resist the trap of increasing work loads and complexity, and reducing
availability and delivered security.
I am having trouble extracting meaning from that last sentence.
Yes, sorry, I was drifting into cartel and game theory. This is the
standard approach in economics to analysing associations, forums, etc.
Consider OPEC as an example. I know this is controversial in this
audience (developers and CAs), all I can say is, the approach is totally
standard in economics and other places where they think anti-trust thoughts.
See other mail for long explanation, sliced off for convenience.
iang
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
