On 17/1/09 01:03, Eddy Nigg wrote:
On 01/16/2009 06:16 PM, Ian G:
What is the difference? A complaint is a dispute as far as I can see.
Dispute:
"A controversy or dispute occurs when parties actively disagree, argue
about, or debate, a matter of opinion. Controversies can range in size
from private disputes between two individuals to large-scale
disagreements between societies."
There are other definitions for "Disputes". A dispute happens between
different parties and "dispute resolution" is the process of resolving
disputes between parties.
Once you name a CA and put in a "complaint" about its practices, this is
a dispute.
Complaint:
"A complaint is an expression of displeasure, most likely accompanied
with a claim made about another party."
OK, these would be my points:
Once you name another party, then you are likely in dispute. Once you
specify a remedy, an action that should be done, then you are likely in
dispute. Once someone crosses a line, then that should be treated a
dispute.
Saying something is only a complaint is like a word game; it might
allow you to think you can say stuff without it being treated properly.
But, this is a false sense of security.
It's also irresponsible and unprofessional, and likely if we want to
make this distinction, we will have to think about a policy of no
complaints. You can't have your cake and eat it too.
Now, just to make it clear, I'm all in favor to have formal rules and
procedures applied, but I don't agree on the scope and aims of your
proposal.
Mozilla might be party to a dispute, but in no way can provide dispute
resolution.
Mozilla can provide dispute resolution, and I would argue they are
already doing it, albeit badly.
It is an open question as to whether they should continue on that path;
it is another open question whether they can get off that path.
But they certainly can do it, I'm unsure what you mean by "in no way."
Mozilla can decide to perform certain actions by being a
party to a dispute between itself and a CA (which requires active
disagreement between those two).
I doubt it can do that at the moment. If the CA doesn't want that act,
then Mozilla would have to be very careful. Very careful might be
defined as doing nothing, or following a procedure that was documented
and agreed, or doing what it was told. That's a problem with disputes,
one has to be very careful.
Mozilla can not act as an instance for
dispute resolution between subscribers, relying parties, certification
authorities and itself. With Mozilla itself being a relying party, the
most, it can be party to a dispute.
Well, that is an important point; that is a conflict in its handling of
disputes. We could argue that Mozilla is not an independent party. We
could agree to accept that, or seek an alternate.
Mozilla has its own interests as a relying party, whose interests might
not necessarily be the same interests as those of other relying parties.
Right, on this I agree. There is a sea of interests to be covered here,
and it is not even clear that mozo people can represent end-users [1].
As far as choosing to add a root to the list, Mozilla Foundation have
already established their place. They have already declared that they
will act according to a policy and set of interests (whatever they may be).
As far as a relying party goes, they are the owner of the list, so they
have a compelling interest in running that list, and I suggest that they
stick with the responsibility. For now, because there aren't any good
alternatives that I see.
However Mozilla might decide to perform certain actions, based upon
knowledge due to a complaint, in order to protect its own interests.
There is an inherent difference between this and your proposal I think.
Indeed. In my proposal it is less arbitrary. They will be able to do
certain things, more so than before. Right now, they cannot drop anyone
from the root list. Right now, about the only thing they can do without
fear is to write and ask stuff. This proposal will make it easier to act.
iang
[1] Two recent comments, Jonathon put it like this: "Obviously [we
are] representing a browser, but Mozilla's interests tend to align with
end users most of the time." versus Julien's "Typically the NSS
priorities are dictated by the needs of the companies that employ most
of the NSS developers, that is to say, Sun, Red Hat and Google, and
these can change over time."
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
