At 12:11 AM +0100 1/4/09, Jan Schejbal wrote: >>Why is this relevant to this mailing list? > >Because there was a security failure in one of the Firefox trusted CAs >allowing anyone to get fake certificates. This event and the reaction of the >CA are important to determine if the CA is (still) trustworthy. It's the same >as the Commodo thing. Just with a way better reaction and without the dodgy >background of dozens of resellers doing (or, in at least one case, not doing) >the Domain Verification.
Sorry, but I don't see that listed as a topic for discussion on the mailing list's information page <https://lists.mozilla.org/listinfo/dev-tech-crypto>. I propose that Mozilla form a new mailing list, dev-policy-trustanchors. The topics for that list would include: - All new trust anchors being added to the Mozilla trust anchor pile - Proposals for changes to the Mozilla trust anchor policy - Complaints about particular participants in the current trust anchor pile - Discussion of the UI aspects of the PKI in various Mozilla software Topics that would still be germane for dev-tech-crypto would include - Questions on how to add or remove trust anchors from various Mozilla software (without any discussion of why someone wants to do it) - Discussion of how to implement alternate UI schemes for PKI (that is, what hooks are available in NSS for detecting positive and negative results) All of Eddy's recent threads (being slimed by a Comodo reseller, finding a reseller that doesn't do domain validation, advertising that he had a domain validation bug but fixed it) would all be appropriate on the new list. The current list is way too unfocused. People asking actual tech questions get drowned out by threads that have literally nothing to do with crypto but everything to do with policy. Thoughts? --Paul Hoffman _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
