On 3/7/09 07:15, Anders Rundgren wrote:
Nelson B Bolyard wrote:
but please don't take it out on us. Please refrain from further sniping
in this mailing list and newsgroup. Constructive contributions are welcome.
I'm sorry about that. Is there any other place where Mozilla people hang
out where there is an interest in trying to understand why and what is
happening on the PKI side for consumers?
No, there is none as far as I know. Mozilla outsources the security
architecture, partly because it subscribes to standards, partly because
it is really interested in browsers and users rather than security and
protocols, and partly because it (Netscape) tried it once in 1994, and
got slapped down.
As a historical legacy, Mozilla has chosen the 1980s design of PKI, and
that's that. This isn't going to change any time soon. We, the
industry, are locked in a deadly embrace on security.
I admit to being fooled by this, and it took me years to figure out why
people here didn't respond. Basically, Mozilla doesn't do security
architecure. They just do security programming. They'll take whatever
standard comes out of the standards groups, and implement them if and
when they become necessary.
Which means as an unfortunate side effect. When there is a bug in that
architecture, Mozilla is powerless to fix it. Even if liable! It's not
their fault, and there isn't much use in railing against it.
(Mind you, it would help if Mozilla people also realised their position,
and didn't encourage false expectations based on some sort of claim to
security leadership.)
iang
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
