While I'm from EU and against spam, i must remind the fundamental optout/optin difference between US and EU. Just a thought.
On 2/28/09, Kyle Hamilton <aerow...@gmail.com> wrote: > First, Microsoft has already become a CA (multiple times over), and > they arguably do more things related to maintaining the > trustworthiness of the PKI than Mozilla does. > > However, I believe that spamming is reprehensible. I also believe > that the only reason that spammers actually spam is because of the > very low cost of sending out UCE, which means that only 1 of 50,000 > spams needs to respond to make a profit. > > In order to reduce the effectiveness of this flavor of spam (which > only exists because the company has been accepted as "trustworthy" by > Mozilla, Microsoft, Apple, Opera, and the Konqueror team), the only > way to make it less profitable for them is to remove one of the > pillars upon which they base their spam. Specifically, the only way > to make it less profitable is to cost them their browser support, > which would render their CA services valueless. > > If Mozilla tolerates this (and I am specifically stating this as Frank > is capable of making at least some policy choices on behalf of the > Mozilla Foundation), then what else will it tolerate? Spam is a > proposition which is more damaging to user security than any PKI > attack can be -- it is a proposition which is essentially a denial of > service attack against their email boxes. (Remember, 'availability' > is one of the things that has always been part of all of the security > protocols that the IETF evaluates -- in this case, though, the > processing power of the user herself is being abused.) > > Also, does Mozilla want to go on record as tolerating spam? > > -Kyle H > > On Sat, Feb 28, 2009 at 9:16 AM, Frank Hecker > <hec...@mozillafoundation.org> wrote: >> Eddy Nigg wrote: >>> >>> I suggest to Micorosoft and Mozilla to make it a policy requirement of >>> CAs >>> to refrain from spam and sending of unsolicited mail. >> >> In my original "CA certificate metapolicy" document from 2004 >> >> http://hecker.org/mozilla/ca-certificate-metapolicy >> >> I wrote the following: >> >> 18. ... The [Mozilla CA certificate] policy should not arbitrarily >> exclude CAs from consideration based on factors such as the CA's >> size, reputation, *business practices not related to certificate >> issuance*, profit or nonprofit status, geographic location, and the >> like. [emphasis added] >> >> As part of the discussion of the metapolicy, I wrote the following in >> response to a comment from Ben Bucksch stating that he didn't want roots >> included for a company "proven to be ruthless", and asking whether we'd >> accept Microsoft as a root CA: >> >> I wasn't proposing to ignore the CA's track record specifically >> as a CA, I was referring instead to the CA's general reputation as >> a business. To answer your hypothetical question: if Microsoft acted >> as a CA, and if Microsoft properly did the things one would expect a >> CA to do, then why should their root CA cert not be included? Whether >> Microsoft is a "good" company or "bad" company in terms of other >> non-CA-related business practices (for example, the sorts of things >> that got them in trouble with the US and EU) is IMO of little or no >> relevance. >> >> http://groups.google.com/group/netscape.public.mozilla.crypto/msg/45e7135322b15f4c >> >> So, consistent with my position back then, I am *not* in favor of our >> imposing a policy requirement that CAs (or their resellers) not engage in >> spamming. It's not directly relevant to a CA's performance as a CA. >> >> Frank >> >> -- >> Frank Hecker >> hec...@mozillafoundation.org >> -- >> dev-tech-crypto mailing list >> dev-tech-crypto@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-tech-crypto >> > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto -- Sent from my mobile device Martin Paljak mar...@paljak.pri.ee http://martin.paljak.pri.ee GSM:+3725156495 -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
