On 01/20/2009 06:50 PM, Ian G:
This is what I believe Mozilla cares.
Mozilla doesn't need to resolve disputes, it must know
what to do under certain circumstances in order to protect itself and
its users. Those are two different kind of things.
OK, so let's say you are Mozo, coz you know what they care about, and it
is YOUR DAY IN COURT! Because you care.
Well, that day happens way before you get to court. I've been suggesting
a while ago that CAs sign on the dotted line of the Mozilla CA policy
(at least, if not an outright agreement stating a few things). Mainly
CAs should know, accept and agree to section 4 of the Mozilla CA policy.
Imagine a CA has sued you, and a bunch of users are lining up a
class-action. The rest of the CAs are up in arms about the favouritism,
and the media smells blood. The lobbying and public opinion thing is in
full swing [1].
Yeah...and ACTION! :-)
Besides that, I simply believe that it never will happen this way
because CAs have an easier and cheaper way fixing whatever needs to get
fixed. Assuming that all CAs will be and are treated equally, I don't
have any reason to believe something else. I've been in contact with
many CAs and this is the general tone. A policy or required practice is
acceptable as long as it applies to all CAs.
Who really has the lawyers?
Right! Like the water flows the easiest way it can, CAs will do the
same. Paying lawyers and getting into court with Mozilla is perhaps
harder than to apply a change to a certain practice or whatever.
I see some techies discussing a dispute without being aware of what they
are doing. This is normal when there is no policy or business angle.
It's cool and fun in an open source context, because business doesn't
matter; the wonderful open source invention separates the business out
of the code perfectly.
Perhaps you haven't read the comment and what I found interesting:
"If we had a "rogue" CA cert then we may well have no objection to you
issuing something that looked like it to assist in the removal of trust
from it. Heck, we'd help you do it."
For their own protection, CAs would like to have the root removed and/or
marked in case of key compromise.
The point here is not how it is done, but something is done; which was
why I started documenting it.
OK, great!
Either Mozo does something, or it loses control.
I agree!
One advantage of having Mozilla resolve most disputes is that it
actually understands [3] the business. And the end-users. And the CAs.
And the certs. And the politics. And the conspiracies. And the cartels.
And the mistakes.
I think we must strictly limit what matters to Mozilla, define it and
provide procedures and guidelines for different cases.
Lets start with having CAs sign on the dotted line of the Mozilla CA
policy. Actually by applying they already agree to it somehow, but it's
not clear. I'd like to have that improved.
I prefer to call it differently, not dispute resolution. There are many,
many cases of potential disputes in relation to CAs, none of which is
Mozilla's business.
(BTW, it somewhat bothers me....why are you calling Mozilla "Mozo"?
Which abbreviation is it? I know about MoFo (Mozilla Foundation), about
MoCo (Mozilla Corporation), about MoMe (Mozilla Messaging), but what the
heck is Mozo? Mozilla Zoo??? :-) )
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
