On 19/1/09 10:07, Eddy Nigg wrote:
On 01/17/2009 11:32 PM, Ian G:
In contract law, forums of dispute resolution is chosen by the parties.
Sometimes, but parties may even disagree on this.
Well, at the moment of agreement, they agree. If they disagree later,
then the courts support the agreement, as a principle. They are not
likely to knock down a "reasonable agreement" whatever that means.
In sum, courts may resolve disputes. Others may as well. It all depends
on the agreement. Mozilla can simply state that it resolves disputes ...
by simply stating it. No problem.
But Mozilla hasn't done that so far, nor have the CAs and other parties
agreed to that. Not even Mozilla has raised such an option so far.
https://wiki.mozilla.org/CA:Dispute_resolution#Introduction
Introduction [edit]
This is a tentative step to
1. document where Mozilla's CA area is at with disputes
2. set the scene for the future.
The first step is to document where we are now, with little emphasis on
suggestions for change. Originally [on dev.tech.crypto].
At the moment this is fantasy at best and not relevant.
That's why I
insisted that your page does assume something which doesn't exist.
Mozilla is resolving disputes. It just hasn't said it, nor thought
about how it is doing it.
Now, we can either go two ways here:
* document what's going on and improve it
* back out
Which do you prefer? As I believe we are responsible people here, we
take our mission seriously, and we have lots of messy stakeholder issues
to deal with, I'm not interested in the following options:
* pretending it doesn't exist
* playing word games
* having our cake and eat it too
* find ourselves in court
(Obviously, Mozo's counsel will have something to say here too, and may
well (a ) disagree with the letter above, or (b ) the spirit, or (c )
the suitability of the idea in the first place.)
"/Something to say/" is good... :-)
Right. Let me underscore _Something To Say_ here :)
I'm not sure from where you got this...which law are you following that
prevents Mozilla from doing so? Which legal requirements? Which
policies? Which agreements?
What happens is that party A gets wind of party B's intended action. So
party A files a dispute into court. Then, it immediately makes an
application to the court for an "injunction" which is an order from the
court to maintain things as they are, while the dispute is being heard.
Things like that can happen, it's just one possibility however.
The question is, what matters? In business, this matters because it
drives behaviour. Other "possibilities" don't matter because they don't
drive behaviour.
Now apply to say a root termination. This is a business-threatening
event. If Mozo started thinking about this, then it would very quickly
escalate to court & injunction. In my opinion (not legal advice, of
course) the business would have little option but to sue and file for
injunction.
Ergo, I conclude by the above logic that Mozo cannot drop a root. (OK, I
needed some other steps to get to that point, but they are not germane.)
I think that's just a wild assumption and any CA will check carefully if
it has a case at all against Mozilla. I suspect that if there are real
reasons to remove a root, the expenses for the CA will be too high in
the end - instead it will opt to fix whatever needs to be fixed in order
to get re-added to the pile (as Paul used to say). Hence removing a root
is one option, working with the CA to address the problems another. One
important thing to note is, that CAs will most likely cooperate in
removing their root in case of key compromise.
Of course. All those things will happen, as long as the root isn't removed.
And besides that, Mozilla reserves the right to remove a root, modify
trust-bits etc. It doesn't have to get into the arbitration business for
that.
It has to get into the business in order to use that right. If it just
reserves the right, and doesn't use it, no problem.
The way to think of this as a security person is to think like an
attacker. What happens in an aggressive situation? Well, the sides
fight. What's the easiest way to fight? That depends on who has how
many lawyers...
iang
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
