Re: Quorum requirements for approval of CAs?

Wed, 11 Feb 2009 06:09:29 -0800 

On 11/2/09 01:59, Eddy Nigg wrote:


It's perhaps an opportunity for me to explain why I'm here and why I
think others - specially representatives and employees of CAs - should
too.




OK, invitation accepted!  I'm here to get a couple of fixes spliced into 
the Mozilla DNA:


   1.  add a feedback loop to the business.
       (start by documenting what's there now.)

   2.  set Mozilla's liability to endusers to zero.
       (therefore the liability rests with the enduser.)


Although simple to write, easy to do, and relatively easy to explain, 
any changes seem controversial and scary [1].



There is an open question in my mind as to whether Mozilla can make 
changes.  Lack of response on these might suggest that the team hasn't 
the space to sit back and think about the wider issues.  They are too 
busy doing the CA reviews [2].  So they need more people.



Which brings us full circle to Frank's observation that we would be 
better off to use open governance techniques like open review of CAs, 
not employ more people [3].



To which my counter-response would be:  people doing open governance are 
doing it for a reason;  they want a trade.  In my case, it is some sense 
that Mozilla is moving forward and making changes and improvements to 
the system.  If there is no possibility of improving the system there is 
no need to be here.


That's my view.  It could of course change tomorrow.



iang




[1] how they relate to CAcert is much longer and mostly irrelevant to 
the discussion, but if anyone is interested, ask away, I already wrote 
the long email on this and discarded it for length.  Or read the 
super-long description on http://iang.org/papers/open_audit_lisa.html



[2] Another response might be that these should really be discussed with 
the legal guy, who isn't here, or the board, which has fiduciary 
responsibility.  Yet a third response might be, actually, no, we don't 
want to do that, we want to simplify out approach not complicate it.


[3] I would normally champion such a thing!
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto























					Reply via email to