Hi Peter,
On 18/01/12 09:50 AM, Peter Kurrasch wrote:
> Totally agree that silence does not equal approval. Speaking for myself,
> silence means "I don't think it matters" but to better explain that, let me
> suggest that there are 2 conflicting goals at play:
>
> 1. How CA certs are "uniformly" incorporated into Mozilla products and
> other browsers (just browsers--not other clients).
> 2. How to advocate for end users and improve the security they observe and
> experience.
Yes, or words to effect.
> My impression from recent conversations in this forum is that CABF and the
> BR 1.0 is only really expected to address #1. That being the case, I would
> say the BR is just fine and probably helps with uniformity.
This is the same comment made about EV by Frank when it was adopted, in
that it documents a standard for high-end SSL web certs. Fine. But,
same comment made then -- but what about the users?
BR documents a standard for low-end SSL web certs. BR does some good,
it solves a massive headache for vendors because it solves their
contract woes with CAs. It also avoids a few of the minefields in EV.
The problem is if you look at the title and the purpose, BR claims to
address your 2. It should go on to deal with user interests, but does not.
Obviously CAs will claim loudly that it does, but they are biased and
lack references, if not words. So, Steve's words, we don't see eye-to-eye.
> Where I start to criticize the BR is when it comes to goal #2. I think the
> BR falls far short of positively affecting the security experience for end
> users--if for no other reason than there is so much space between the user
> and the issuing CA that the root cert is the least of our concerns.
>
> So, when it comes to improving the BR I'm not overly interested because I
> don't think it matters. Sure, there might be improvements and
> clarifications to help the cert adoption process--and for those I don't
> have much of an opinion. If somebody takes it the next step and tries to
> say "this improves user security" I will have to disagree.
The problem is that they have successfully filled the spot available.
Now if anyone comes along and says we need to address users, they will
say, look, we have BR. And then the arguments will start. Which will
never end. See thread below. It's endless....
So, nothing new will be accepted by vendors. Essentially, unless the
CAs agree, the vendors will not accept anything from the users.
So, for different logic, I reach the same conclusion: it doesn't
matter. The user loses. Game over.
> So this is my opinion but I'd like to know how other people feel about
> this. I'd also like to hear some perspective on how people view Mozilla's
> role as "user advocate".
Epic Fail. But that was the point of CABForum - the elimination of the
user voice was clearly an or even the objective. The techniques are old
and hallowed: gate-keeping, funneling, exclusion, human shield,
confidentiality, alliances, tag,...
> If Mozilla is supposed to fill that role to some
> degree is there a forum apart from CAB where suggestions/proposals might be
> made? Maybe this email list is it? Maybe we need a user-advocate forum,
> with CA support? (UAFWCAS???)
No chance. CAs put together CABForum for CA purposes. Although not
pre-ordained, it quickly found purpose to block the user voice that
Mozilla had successfully created to some small extent, and had taken
some small root in the vendor meetings way back when. I forget when /
where, but started by the Konqueror SSL guy in Montreal or similar.
Anyway, the point is that any forum that is created will be subject to
the same (winning) forces.
> Well, just thoughts....
The Mozilla experiment was nice while it lasted, sure.
iang
>
> On Tue, Jan 17, 2012 at 2:36 PM, Stephen Schultze<
>
sjschult...@gmail.com> wrote:
>
>> On 1/17/12 10:10 AM, Eddy Nigg wrote:
>>
>>> On 01/17/2012 04:39 PM, From Stephen Schultze:
>>>
>>>> Don't take the relative lack of response on this topic as approval.
>>>> It's more like burnout. Particularly when the discussion and
>>>> decisionmaking goes on behind closed doors, your public participants
>>>> are likely to fade away.
>>>>
>>> But perhaps you also have to set the expectations right - the BR
>>> addresses many issues that never were defined, but that were considered
>>> "problematic practices". Finally it has been decided what flies and what
>>> not.
>>>
>>> The BR isn't and probably can't be perfect in its current form, but it's
>>> also not the last version either. I think it's a significant step
>>> forward (and not standstill or step backwards), you may be wishing for
>>> perfect, but it wont happen in this round.
>>>
>>> Issues that couldn't be addressed this time have a good chance to be
>>> looked upon in the upcoming revisions - and don't think you are the only
>>> one that sees possible improvements. Many CAB Forum members see it the
>>> same way, but it was more important to first of all start somewhere and
>>> get it of the ground instead of investing another year of discussions
>>> and have nothing.
>>>
>> The problems I identified have been long defined... so long in fact that
>> many security folks have abandoned these conversations because they
>> believed that they were not being heard. You may have hope that some of
>> them will be addressed, but you of course are an actual participant in the
>> discussions.
>>
>> CAB Forum is a closed group that fails to adequately include users in its
>> decision-making process... by design.
>>
>> However, we're not going to see eye-to-eye on that, so I'll settle for
>> some evidence of movement on the topics I've identified. If Mozilla can
>> start by actually implementing its proposed language, that would be a step
>> forward, and I imagine that it would also encourage CAB Forum to take the
>> issues seriously for future BR revisions.
>>
>> Steve