Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Who Owns the Mozilla CA Modules?
42 views
Skip to first unread message
Stephen Schultze
Feb 18, 2012, 4:16:51 PM2/18/12
to mozilla-dev-s...@lists.mozilla.org
(sent to both mozilla.governance and mozilla.dev.security.policy)
Hey all, I just discovered an odd state of affairs that could use some
clarification. I apologize for the TLDR email that follows, but this
requires some explanation. I cannot tell for sure who is the owner of
the relevant modules for Mozilla's certificate authority root list
policy and management. Specifically, there are two modules:
1. CA Certificate Policy
responsible for maintaining:
http://www.mozilla.org/projects/security/certs/policy/
2. CA Certificates
"Determine which root certificates should be included in Mozilla
software products and which trust bits should be set on them, and
evaluate requests from Certification Authorities (CAs) for inclusion of
new root certificates."
As I understand it, the first module is for making changes to the Policy
text itself, whereas the second is for day-to-day decisions about root
approvals. Who are the current owners and peers for these modules? The
wiki is inconsistent:
https://wiki.mozilla.org/Modules/Activities
CA Certificate Policy
Owner: Kathleen Wilson
Peers: Frank Hecker, Gervase Markham, Johnathan Nightingale
CA Certificates
Owner: Kathleen Wilson
Peers: Frank Hecker, Gervase Markham, Johnathan Nightingale
https://wiki.mozilla.org/Module_Owners_Activities_Modules
CA Certificate Policy
Owner: Frank Hecker
Peers: Kathleen Wilson
CA Certificates
Owner: Kathleen Wilson
Peers: Frank Hecker
It seems that Kathleen is definitely owner of the CA Certificates
module, and that Gerv and Jonathan are probably peers of both. However,
the actual owner of the CA Certificate Policy is unclear. Kathleen
herself said recently that "Frank is still the owner of Mozilla's CA
Certificate Policy":
https://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/bed934bffdbf30de/02c3156ee063505d#f8276c156fa742d5
In August of 2010, Frank had proposed making Kathleen owner of the CA
Certificates module and peer (and maybe owner?) of the CA Certificate
Policy module:
https://groups.google.com/group/mozilla.governance/browse_thread/thread/76862f38c7ccb897/725bea39d18a1cd6
In the thread that followed, it was unclear to me what the final
decision was on ownership of the CA Certificate Policy, and the wiki
seems to reflect this ambiguity.
Despite the similarity of names between the two modules, I think that
there is a good reason why they were created separate. One deals with
the day-to-day administration of the root list (a very time consuming
task) and the other deals with setting the policy itself. Although they
closely inform each other, day-to-day administration tasks can often
consume all available time and distract from policy updates. It
probably often makes sense to have these owned by different people in
order to avoid blocking of one by the other, and even to create a bit
more of a firewall between the process of negotiating with CAs on
acceptable compliance and updates/interpretations of the text itself.
To that end, I think that it would be useful to acknowledge the fact
that Frank is, from a practical perspective, no longer an owner or a
peer of either of these modules (he left Mozilla in 2009 and he hasn't
posted to this list in more than a year). I think it is also useful to
acknowledge the benefit of having different module owners, and to move
toward a situation where that is the case. As such, regardless of who
is the actual current owner of the CA Certificate Policy module, I'd
like to propose a new peer who could add some great energy and perhaps
prove himself to be a good owner as well.
Thomas Lowenthal (tom@mozilla) has posted to m.d.s.p. in the past and
works on privacy and security policy at Mozilla. He's also got
experience with Tor and is an admirably paranoid guy:
https://twitter.com/#!/flamsmark
I propose that he be appointed as a peer to the CA Certificate Policy
module.
Hey all, I just discovered an odd state of affairs that could use some
clarification. I apologize for the TLDR email that follows, but this
requires some explanation. I cannot tell for sure who is the owner of
the relevant modules for Mozilla's certificate authority root list
policy and management. Specifically, there are two modules:
1. CA Certificate Policy
responsible for maintaining:
http://www.mozilla.org/projects/security/certs/policy/
2. CA Certificates
"Determine which root certificates should be included in Mozilla
software products and which trust bits should be set on them, and
evaluate requests from Certification Authorities (CAs) for inclusion of
new root certificates."
As I understand it, the first module is for making changes to the Policy
text itself, whereas the second is for day-to-day decisions about root
approvals. Who are the current owners and peers for these modules? The
wiki is inconsistent:
https://wiki.mozilla.org/Modules/Activities
CA Certificate Policy
Owner: Kathleen Wilson
Peers: Frank Hecker, Gervase Markham, Johnathan Nightingale
CA Certificates
Owner: Kathleen Wilson
Peers: Frank Hecker, Gervase Markham, Johnathan Nightingale
https://wiki.mozilla.org/Module_Owners_Activities_Modules
CA Certificate Policy
Owner: Frank Hecker
Peers: Kathleen Wilson
CA Certificates
Owner: Kathleen Wilson
Peers: Frank Hecker
It seems that Kathleen is definitely owner of the CA Certificates
module, and that Gerv and Jonathan are probably peers of both. However,
the actual owner of the CA Certificate Policy is unclear. Kathleen
herself said recently that "Frank is still the owner of Mozilla's CA
Certificate Policy":
https://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/bed934bffdbf30de/02c3156ee063505d#f8276c156fa742d5
In August of 2010, Frank had proposed making Kathleen owner of the CA
Certificates module and peer (and maybe owner?) of the CA Certificate
Policy module:
https://groups.google.com/group/mozilla.governance/browse_thread/thread/76862f38c7ccb897/725bea39d18a1cd6
In the thread that followed, it was unclear to me what the final
decision was on ownership of the CA Certificate Policy, and the wiki
seems to reflect this ambiguity.
Despite the similarity of names between the two modules, I think that
there is a good reason why they were created separate. One deals with
the day-to-day administration of the root list (a very time consuming
task) and the other deals with setting the policy itself. Although they
closely inform each other, day-to-day administration tasks can often
consume all available time and distract from policy updates. It
probably often makes sense to have these owned by different people in
order to avoid blocking of one by the other, and even to create a bit
more of a firewall between the process of negotiating with CAs on
acceptable compliance and updates/interpretations of the text itself.
To that end, I think that it would be useful to acknowledge the fact
that Frank is, from a practical perspective, no longer an owner or a
peer of either of these modules (he left Mozilla in 2009 and he hasn't
posted to this list in more than a year). I think it is also useful to
acknowledge the benefit of having different module owners, and to move
toward a situation where that is the case. As such, regardless of who
is the actual current owner of the CA Certificate Policy module, I'd
like to propose a new peer who could add some great energy and perhaps
prove himself to be a good owner as well.
Thomas Lowenthal (tom@mozilla) has posted to m.d.s.p. in the past and
works on privacy and security policy at Mozilla. He's also got
experience with Tor and is an admirably paranoid guy:
https://twitter.com/#!/flamsmark
I propose that he be appointed as a peer to the CA Certificate Policy
module.
Kathleen Wilson
Feb 18, 2012, 6:52:03 PM2/18/12
to mozilla-dev-s...@lists.mozilla.org
http://groups.google.com/group/mozilla.governance/browse_thread/thread/1f6fdf151c7b9445#
The correct one is:
https://wiki.mozilla.org/Modules/Activities
The other one is the old version of the wiki page. However, it looks
like there have been some updates to it that will need to be merged into
the newer page before being removed/obsoleted.
Note: I updated the old page to be in sync regarding these two modules.
> It seems that Kathleen is definitely owner of the CA Certificates
> module, and that Gerv and Jonathan are probably peers of both. However,
> the actual owner of the CA Certificate Policy is unclear. Kathleen
> herself said recently that "Frank is still the owner of Mozilla's CA
> Certificate Policy":
>
> https://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/bed934bffdbf30de/02c3156ee063505d#f8276c156fa742d5
>
and the changes were approved.
> To that end, I think that it would be useful to acknowledge the fact
> that Frank is, from a practical perspective, no longer an owner or a
> peer of either of these modules (he left Mozilla in 2009 and he hasn't
> posted to this list in more than a year). I think it is also useful to
program and updating Mozilla's CA Certificate Policy. However, I would
understand if he decides to bow out of the "peer" role at some point.
> acknowledge the benefit of having different module owners, and to move
> toward a situation where that is the case. As such, regardless of who is
> the actual current owner of the CA Certificate Policy module, I'd like
> to propose a new peer who could add some great energy and perhaps prove
> himself to be a good owner as well.
>
> Thomas Lowenthal (tom@mozilla) has posted to m.d.s.p. in the past and
> works on privacy and security policy at Mozilla. He's also got
> experience with Tor and is an admirably paranoid guy:
>
> https://twitter.com/#!/flamsmark
>
> I propose that he be appointed as a peer to the CA Certificate Policy
> module.
endorse this proposal at this time. I suggest that we postpone this
decision for a while, and encourage Tom to participate more in the
mozilla.dev.security.policy discussions.
Kathleen
Stephen Schultze
Feb 18, 2012, 7:56:36 PM2/18/12
to mozilla-dev-s...@lists.mozilla.org
On 2/18/12 6:52 PM, Kathleen Wilson wrote:
> According to:
> http://groups.google.com/group/mozilla.governance/browse_thread/thread/1f6fdf151c7b9445#
>
> The correct one is:
> https://wiki.mozilla.org/Modules/Activities
>
> The other one is the old version of the wiki page. However, it looks
> like there have been some updates to it that will need to be merged into
> the newer page before being removed/obsoleted.
>
> Note: I updated the old page to be in sync regarding these two modules.
>
>
>> It seems that Kathleen is definitely owner of the CA Certificates
>> module, and that Gerv and Jonathan are probably peers of both. However,
>> the actual owner of the CA Certificate Policy is unclear. Kathleen
>> herself said recently that "Frank is still the owner of Mozilla's CA
>> Certificate Policy":
>>
>> https://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/bed934bffdbf30de/02c3156ee063505d#f8276c156fa742d5
>
>
> After that Frank proposed the changes in module-o...@mozilla.org,
> and the changes were approved.
You mean after October 2011 or after August 2010? I'm just curious when
> According to:
> http://groups.google.com/group/mozilla.governance/browse_thread/thread/1f6fdf151c7b9445#
>
> The correct one is:
> https://wiki.mozilla.org/Modules/Activities
>
> The other one is the old version of the wiki page. However, it looks
> like there have been some updates to it that will need to be merged into
> the newer page before being removed/obsoleted.
>
> Note: I updated the old page to be in sync regarding these two modules.
>
>
>> It seems that Kathleen is definitely owner of the CA Certificates
>> module, and that Gerv and Jonathan are probably peers of both. However,
>> the actual owner of the CA Certificate Policy is unclear. Kathleen
>> herself said recently that "Frank is still the owner of Mozilla's CA
>> Certificate Policy":
>>
>> https://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/bed934bffdbf30de/02c3156ee063505d#f8276c156fa742d5
>
>
> After that Frank proposed the changes in module-o...@mozilla.org,
> and the changes were approved.
you actually became module owner.
>> To that end, I think that it would be useful to acknowledge the fact
>> that Frank is, from a practical perspective, no longer an owner or a
>> peer of either of these modules (he left Mozilla in 2009 and he hasn't
>> posted to this list in more than a year). I think it is also useful to
>> acknowledge the benefit of having different module owners, and to move
>> toward a situation where that is the case. As such, regardless of who is
>> the actual current owner of the CA Certificate Policy module, I'd like
>> to propose a new peer who could add some great energy and perhaps prove
>> himself to be a good owner as well.
>>
>> Thomas Lowenthal (tom@mozilla) has posted to m.d.s.p. in the past and
>> works on privacy and security policy at Mozilla. He's also got
>> experience with Tor and is an admirably paranoid guy:
>>
>> https://twitter.com/#!/flamsmark
>>
>> I propose that he be appointed as a peer to the CA Certificate Policy
>> module.
>
> I personally have not had enough interaction with Tom to be able to
> endorse this proposal at this time. I suggest that we postpone this
> decision for a while, and encourage Tom to participate more in the
> mozilla.dev.security.policy discussions.
I do indeed hope that he begins to chime in even more often, and I'll
>> toward a situation where that is the case. As such, regardless of who is
>> the actual current owner of the CA Certificate Policy module, I'd like
>> to propose a new peer who could add some great energy and perhaps prove
>> himself to be a good owner as well.
>>
>> Thomas Lowenthal (tom@mozilla) has posted to m.d.s.p. in the past and
>> works on privacy and security policy at Mozilla. He's also got
>> experience with Tor and is an admirably paranoid guy:
>>
>> https://twitter.com/#!/flamsmark
>>
>> I propose that he be appointed as a peer to the CA Certificate Policy
>> module.
>
> I personally have not had enough interaction with Tom to be able to
> endorse this proposal at this time. I suggest that we postpone this
> decision for a while, and encourage Tom to participate more in the
> mozilla.dev.security.policy discussions.
bring this proposal up again soon.
Please also keep an eye out for other Moz folks who contribute here but
are not on the current peer list (say, sid and bsmith) -- I've found
their positions to be representative of the opinions of the broader
community but not always reflected in final module decisions.
Also, as stated above, I think that there is some inherent benefit to
having different owners of the two modules for both workload and
impartiality reasons. I'd be interested to hear from the module owners
group on this.
Steve
Gervase Markham
Feb 20, 2012, 7:13:50 AM2/20/12
to Stephen Schultze
On 18/02/12 21:16, Stephen Schultze wrote:
> https://wiki.mozilla.org/Module_Owners_Activities_Modules
This page is outdated. I should have marked it as such when I set up the
new system; my apologies.
I've moved across updates mistakenly made to that page.
Gerv
> https://wiki.mozilla.org/Module_Owners_Activities_Modules
This page is outdated. I should have marked it as such when I set up the
new system; my apologies.
I've moved across updates mistakenly made to that page.
Gerv
Kathleen Wilson
Feb 20, 2012, 5:36:28 PM2/20/12
to mozilla-dev-s...@lists.mozilla.org
On 2/18/12 4:56 PM, Stephen Schultze wrote:
>> After that Frank proposed the changes in module-o...@mozilla.org,
>> and the changes were approved.
>
> You mean after October 2011 or after August 2010? I'm just curious when
> you actually became module owner.
>
January 25, 2012.
>> After that Frank proposed the changes in module-o...@mozilla.org,
>> and the changes were approved.
>
> You mean after October 2011 or after August 2010? I'm just curious when
> you actually became module owner.
>
> Please also keep an eye out for other Moz folks who contribute here but
> are not on the current peer list (say, sid and bsmith) -- I've found
> their positions to be representative of the opinions of the broader
> community but not always reflected in final module decisions.
>
> Also, as stated above, I think that there is some inherent benefit to
> having different owners of the two modules for both workload and
> impartiality reasons. I'd be interested to hear from the module owners
> group on this.
Mozilla employees.
In addition to your comments about workload and impartiality, I would
also like to add succession planning.
If I suddenly became unable to perform my current role, I have full
confidence that any one of Frank, Gerv, and Johnathan could take over
where I left off regarding the CA Certificate Policy and CA Certificates
modules. However I don't think any of them would have the time and
desire to do this for the long term.
If there is anyone out there with particular interest in helping with
these modules and would eventually like to be a peer for one or both of
these modules, please let me know and actively participate in the
discussions in mozilla.dev.security.policy. I would very much appreciate
your involvement and constructive input and recommendations.
Thanks,
Kathleen
Kathleen Wilson
Feb 24, 2012, 8:09:36 PM2/24/12
to mozilla-dev-s...@lists.mozilla.org
Policy and CA Certificates modules. In my opinion he has been acting in
this role for a long time already, and I am thrilled that he has agreed
to make this official.
I've updated the page:
https://wiki.mozilla.org/Modules/Activities
Kathleen
0 new messages