No - normally the Mozilla project waits a while before doing that. Firstly, so any remaining critical bugs can get knocked out, and secondly, because the servers might melt if we had the record attempt _and_ auto-update at the same time:-) I believe auto-update is even triggered in waves, to stagger the load.
Please don't do that; the logs get audited. I don't know if Guinness will disqualify the attempt if there's funny business going on but, before anything else, it's cheating anyway.
OK, so we could just hand out large chunks of cash to anyone who came asking for it, with no oversight and no follow-up. If we'd done that, we'd probably have been able to spend quite a lot more. Would that have made you happier?
What we actually did was solicit and carefully vet proposals, draw up consulting contracts where appropriate, monitor progress and make staged payments. Amongst all the other things we do to keep the show on the road. And we'll be doing more of it next year.
Thank you very much for donating. There was a period, before Firefox got popular, where we were really unsure how we were going to survive. Donations like yours did, and still do, reassure us that people believe in what we are doing.
But I don't understand the sour grapes about Mitchell's pay packet. If you know of an as-good or better CEO (with the same amount of industry and Mozilla experience and community support) who will work for less money, name them. Otherwise, the worker is worth the wages.
OK, so we could just hand out large chunks of cash to anyone who came asking for it, with no oversight and no follow-up. If we'd done that, we'd probably have been able to spend quite a lot more. Would that have made you happier?
What we actually did was solicit and carefully vet proposals, draw up consulting contracts where appropriate, monitor progress and make staged payments. Amongst all the other things we do to keep the show on the road.
If you like. FWIW, I think your message takes no account whatsoever of the prevailing reality, which is that "rankings according to a reticulated network of other certificate users" are a non-starter for web browser-based trust models. What users want to know is "can I put my credit card in this box"; we are attempting, with the tools we have at our disposal, to help them make that decision. Hence, in large part, EV - the contents of a certificate need to be trustworthy before you can make a decision based on it.
Your post is also full of loaded words - what you call a "gatekeeper position", I call "taking responsibility for the security of our users" and "not just trusting any old Joe who asks". What you call "peddling", I call "believing". And so on. Hardly a way to construct a convincing argument.
And you'd still be peddling the idea that certificates mean more than they do, and that free certs are less trustworthy. What you're engaged in is fabricating a set of Emperor's Clothes while scoffing at the other nudists.
So CACert and Verisign are both nudists, then?
Free certs are, all other things being equal, less trustworthy because verifying someone's identity takes time and money, and taking responsibility for that verification requires indemnification (i.e. insurance, or a large pile of cash). That time and money has to come from somewhere. It can either be obvious where it comes from (in the commercial CA model), or it can be less obvious. Or the verification can be done badly or not at all.
You, in contrast, are "peddling" the idea that just because CACert's web of trust model is better, that means we should trust them as an organisation. And that's rubbish. Their organisational woes are well documented.
The very fact that you're considering that certificates show "trustworthiness" as opposed to "a reasonably strong probability that lots of humans would have to be tricked to believe this identity" is disturbing.
Now I know you're just ranting, because trustworthiness was your word, not mine, and we were discussing CAs, not end users.
I don't deny that the appearance of CACert (among other things) led us to develop guidelines. I don't think that's unreasonable, given that the differences between CACert and other CAs. The fact that it took a long time is unfortunate, but these things happen in a volunteer project. Unless you think there is personal animosity between Mozilla people and CACert people, or you have conspiracy theories about backhanders from established CAs, then you must accept that our actions were motivated by the desire to provide a most secure browsing experience for our users.
Mozilla's list of (you can trust these guys absolutely) certificates creates the wrong impression: especially when you make it hard for CAcert to get included in that list. Wow! CAcert must have done something worse than handing out Microsoft Class 3 developer certificates... and other bogus certificates that I and others can attest to personally.
So your model would be that we rank all CAs in order of evilness (in our eyes) and include only those that meet some lack-of-evilness benchmark that we set?
The answer it seems is that Thawte/Verisign got in early, have a proven track record (which you like to try and ignore) of untrustworthiness
So what would a proven track record of trustworthiness look like? Are we back to demands for perfection?
Ehh... so to repeat "what you trust is wealth and the threat of losing that wealth".
If you want to characterise it that way. Why is this bad?
You continue to bang on about the one example mistake everyone brings up about Verisign (which, I have no doubt, caused serious internal reviews and changes of procedure inside that organisation). It's interesting that everyone uses that example - because, despite all the procedural flaws etc. CACert activists claim the current model has, it's the only example there is, after millions of certificates have been issued. But you still don't answer my key question: are you willing for CACert to be held to the same standard you are holding Verisign to? One mistake and you're out?
And so now you come full circle to contradicting yourself and accepting that what you trust is wealth and the threat of losing that wealth.
No - what I trust is having some skin in the game. If Verisign start issuing dodgy certs, their business collapses, everyone loses their jobs and they are on the dole queue. And the employees or management probably get sued into oblivion by the shareholders. That's a fairly powerful incentive to do the right thing. Where's the incentive with CACert? If, for example, the CACert crew were willing to put up a $1,000,000 bond against fraudulent issue (which all the EV cert-issuing CAs are doing) then that would be some skin in the game.
try to explain why Mozilla/Firefox doesn't see fit to include this perfectly good certificate.
So you can prove that, through its long and varied life under various project leaders, the CACert root key has never been leaked, compromised, or given to someone who now has a grudge against the project?
Actually no, I'm arguing that the standards that you claim to apply have only one criterion which CAcert fails to meet: money
No. The standard is a passed audit - i.e. a 3rd party assessment of competence. Yes, this costs money, because it takes time. It would always cost someone money. If we did it ourselves, it would cost us money instead of the prospective CA. The only alternative is taking anyone's word for it when they say "I'm competent". Not, perhaps, the best security decision.
Teaching users that certificates issued for money (Thawte) meet a higher standard (good enough to be in Firefox root cert store) than certificates issued for free (CAcert) seems like a WORSE way to me.
If Thawte gave away certificates for free tomorrow (and, in fact, several CAs in the store give away certain types of certificate for free) then they would still be in the store, and CACert would not. If CACert decided to start charging $100 per cert tomorrow, they would still be out. It's not about how much the CA charges for the certs.
You've helped to foster the impression that a company that has an incentive to issue as many certificates in as little time as possible (because it's paid per cert) is a safer bet than an organisation that issues certificates for free.
...and has absolutely nothing to lose if they issue a duff cert. The entire CACert team can walk away tomorrow, saying "Hey, we tried. Never mind. Beer, anyone? Shame about Firefox's reputation for security, eh?". That's not something which inspires confidence.
CAcert were blocked for IIRC 2 years while they waited for Mozilla to draw up guidelines about which root certificates would be included.
Along with every other CA. The backlog is only now being cleared.
They included and still include root certificates from Thawte/Verisign (which have been proven to have a lower standard than CAcert (no Web of Trust model) which led to them issuing Class3 developer certificates for Microsoft to an outside party.
Are you arguing that the web would become a more secure place if those certificates were removed? Teaching users to ignore security warning popups on 50% of secure websites doesn't seem to me like a good way to improve security.
Also, are you willing to be held to the same standard? If CACert was included, and then issued a single certificate incorrectly, would you be happy for your root to be removed for ever more?
CAcert will NOT be included until they can meet the requirements of the Certified Institute of Public Accounts which will cost them US$250,000 for an audit.
There are several different sets of audit criteria which are acceptable, with AICPA WebTrust being only one of them.
To me that's different standards being applied, with Mozilla leaning strongly in favour of those that have money.
Actually no, it's you who are arguing that different standards should be applied to those who don't have money.
So it's not necessary to have any independent confirmation that a CA (who, after all, ends up being trusted by every user of the software) actually has some level of competence? So you'd add FreeFreeFreeCerts (https://bugzilla.mozilla.org/show_bug.cgi?id=2334 58 - Slashdot referers disabled in Bugzilla) to the root store?
That's rubbish, for two reasons. 3.0 wasn't a from-scratch rewrite from 2; the team did the normal incremental and iterative development. And so the "9 years" says nothing about whether software should be rewritten from scratch or not. In fact, the main reason that Bugzilla hasn't been labelled "3.0" before is because one developer a few years ago went off and started an abortive complete rewrite which he called "Bugzilla 3", and we didn't want to confuse things by reusing the number.
This is actually explained in the release announcement.
It's absolutely right that you can't state a man is guilty of an offence for which he's been charged until it's proven in a court of law. You can state that you personally think he's guilty; you can state that he allegedly committed the offence; but unless you want to be hauled up in front of the judge and asked for the evidence you apparently have that he definitely did it, saying that he did is libellous.
If the US had a similar system, there might be less "trial by media" and more trial by judge and jury. Not that the UK is perfect, but it's better.
So, tell me. If wealth is not so bad, why did Jesus ask the rich young man to give up ALL of his possessions to the poor?
Because wealth was the man's god. Read the entire story. Jesus asks him if he's kept all the commandments; he says "Yes". What's the first commandment? "You shall have no other gods before me". Jesus realised that money was the man's god, so he said "OK, then, give away all your money". The man went away sad, proving that he hadn't kept all the commandments.
The overall point of the story is not that we must do better at keeping God's commandments, but that salvation is by grace (God's undeserved favour in choosing sinners) and not by obeying the Law or by works (what you do). Because no-one can do that perfectly, as the rich young man proves.
My default Ubuntu Totem can't play back any of the three formats (well, I tried MPEG and Quicktime; I assumed WMP wouldn't work). Anyone else had more luck? Is there any way someone on Linux who doesn't want to install non-free/illegal codecs can play back Creative Archive video?
I don't agree that punycode is a high spoofing risk, at least at the moment. OK, you can spoof www.xn--foopydoopygoopy.com with www.xn--foopydopygoopy.com, but what is there of value worth spoofing at www.xn--foopydoopygoopy.com?
When high value sites in.com start using IDN, then there'll be a risk. But hopefully they won't until.com sorts out its policies, because who wants to have their website showing up in browsers as www.xn--foopydoopygoopy.com ?
Slashdot Mirror
No - normally the Mozilla project waits a while before doing that. Firstly, so any remaining critical bugs can get knocked out, and secondly, because the servers might melt if we had the record attempt _and_ auto-update at the same time :-) I believe auto-update is even triggered in waves, to stagger the load.
Gerv
Please don't do that; the logs get audited. I don't know if Guinness will disqualify the attempt if there's funny business going on but, before anything else, it's cheating anyway.
Gerv
[I said this further above, but...]
It's actually hard work to spend money.
No, really.
OK, so we could just hand out large chunks of cash to anyone who came asking for it, with no oversight and no follow-up. If we'd done that, we'd probably have been able to spend quite a lot more. Would that have made you happier?
What we actually did was solicit and carefully vet proposals, draw up consulting contracts where appropriate, monitor progress and make staged payments. Amongst all the other things we do to keep the show on the road. And we'll be doing more of it next year.
Gerv
Firefox would be just as useful as it is now, and some other company would pay to receive the search traffic of 130 million users.
Gerv
Thank you very much for donating. There was a period, before Firefox got popular, where we were really unsure how we were going to survive. Donations like yours did, and still do, reassure us that people believe in what we are doing.
But I don't understand the sour grapes about Mitchell's pay packet. If you know of an as-good or better CEO (with the same amount of industry and Mozilla experience and community support) who will work for less money, name them. Otherwise, the worker is worth the wages.
Gerv
It's actually hard work to spend money.
No, really.
OK, so we could just hand out large chunks of cash to anyone who came asking for it, with no oversight and no follow-up. If we'd done that, we'd probably have been able to spend quite a lot more. Would that have made you happier?
What we actually did was solicit and carefully vet proposals, draw up consulting contracts where appropriate, monitor progress and make staged payments. Amongst all the other things we do to keep the show on the road.
Gerv
"but the two lead developers no longer playing a role in how the project is led"
If that were true, it might be a crisis. But it's not. Both (IIRC) have said they will continue to be involved as module owners.
Gerv
"If Thunderbird could duplicate those two features I'd probably give up Mail.app."
Then you're half in luck. You can have a combined inbox using a saved search (among other ways).
Gerv
I've never heard of that before. Do you have a bug number?
Gerv
If you like. FWIW, I think your message takes no account whatsoever of the prevailing reality, which is that "rankings according to a reticulated network of other certificate users" are a non-starter for web browser-based trust models. What users want to know is "can I put my credit card in this box"; we are attempting, with the tools we have at our disposal, to help them make that decision. Hence, in large part, EV - the contents of a certificate need to be trustworthy before you can make a decision based on it.
Your post is also full of loaded words - what you call a "gatekeeper position", I call "taking responsibility for the security of our users" and "not just trusting any old Joe who asks". What you call "peddling", I call "believing". And so on. Hardly a way to construct a convincing argument.
So CACert and Verisign are both nudists, then?
Free certs are, all other things being equal, less trustworthy because verifying someone's identity takes time and money, and taking responsibility for that verification requires indemnification (i.e. insurance, or a large pile of cash). That time and money has to come from somewhere. It can either be obvious where it comes from (in the commercial CA model), or it can be less obvious. Or the verification can be done badly or not at all.
You, in contrast, are "peddling" the idea that just because CACert's web of trust model is better, that means we should trust them as an organisation. And that's rubbish. Their organisational woes are well documented.
Now I know you're just ranting, because trustworthiness was your word, not mine, and we were discussing CAs, not end users.
So your model would be that we rank all CAs in order of evilness (in our eyes) and include only those that meet some lack-of-evilness benchmark that we set?
So what would a proven track record of trustworthiness look like? Are we back to demands for perfection?
If you want to characterise it that way. Why is this bad?
No - what I trust is having some skin in the game. If Verisign start issuing dodgy certs, their business collapses, everyone loses their jobs and they are on the dole queue. And the employees or management probably get sued into oblivion by the shareholders. That's a fairly powerful incentive to do the right thing. Where's the incentive with CACert? If, for example, the CACert crew were willing to put up a $1,000,000 bond against fraudulent issue (which all the EV cert-issuing CAs are doing) then that would be some skin in the game.
So you can prove that, through its long and varied life under various project leaders, the CACert root key has never been leaked, compromised, or given to someone who now has a grudge against the project?
No. The standard is a passed audit - i.e. a 3rd party assessment of competence. Yes, this costs money, because it takes time. It would always cost someone money. If we did it ourselves, it would cost us money instead of the prospective CA. The only alternative is taking anyone's word for it when they say "I'm competent". Not, perhaps, the best security decision.
If Thawte gave away certificates for free tomorrow (and, in fact, several CAs in the store give away certain types of certificate for free) then they would still be in the store, and CACert would not. If CACert decided to start charging $100 per cert tomorrow, they would still be out. It's not about how much the CA charges for the certs.
...and has absolutely nothing to lose if they issue a duff cert. The entire CACert team can walk away tomorrow, saying "Hey, we tried. Never mind. Beer, anyone? Shame about Firefox's reputation for security, eh?". That's not something which inspires confidence.
You think CACert, as it is now, would pass a WebTrust audit if it had the money? Really?
Along with every other CA. The backlog is only now being cleared.
Are you arguing that the web would become a more secure place if those certificates were removed? Teaching users to ignore security warning popups on 50% of secure websites doesn't seem to me like a good way to improve security. Also, are you willing to be held to the same standard? If CACert was included, and then issued a single certificate incorrectly, would you be happy for your root to be removed for ever more? There are several different sets of audit criteria which are acceptable, with AICPA WebTrust being only one of them. Actually no, it's you who are arguing that different standards should be applied to those who don't have money.So it's not necessary to have any independent confirmation that a CA (who, after all, ends up being trusted by every user of the software) actually has some level of competence? So you'd add FreeFreeFreeCerts (https://bugzilla.mozilla.org/show_bug.cgi?id=2334 58 - Slashdot referers disabled in Bugzilla) to the root store?
That's rubbish, for two reasons. 3.0 wasn't a from-scratch rewrite from 2; the team did the normal incremental and iterative development. And so the "9 years" says nothing about whether software should be rewritten from scratch or not. In fact, the main reason that Bugzilla hasn't been labelled "3.0" before is because one developer a few years ago went off and started an abortive complete rewrite which he called "Bugzilla 3", and we didn't want to confuse things by reusing the number.
This is actually explained in the release announcement.
It's absolutely right that you can't state a man is guilty of an offence for which he's been charged until it's proven in a court of law. You can state that you personally think he's guilty; you can state that he allegedly committed the offence; but unless you want to be hauled up in front of the judge and asked for the evidence you apparently have that he definitely did it, saying that he did is libellous.
If the US had a similar system, there might be less "trial by media" and more trial by judge and jury. Not that the UK is perfect, but it's better.
Because wealth was the man's god. Read the entire story. Jesus asks him if he's kept all the commandments; he says "Yes". What's the first commandment? "You shall have no other gods before me". Jesus realised that money was the man's god, so he said "OK, then, give away all your money". The man went away sad, proving that he hadn't kept all the commandments.
The overall point of the story is not that we must do better at keeping God's commandments, but that salvation is by grace (God's undeserved favour in choosing sinners) and not by obeying the Law or by works (what you do). Because no-one can do that perfectly, as the rich young man proves.
See my blogpost for the argument why.
Gerv
My default Ubuntu Totem can't play back any of the three formats (well, I tried MPEG and Quicktime; I assumed WMP wouldn't work). Anyone else had more luck? Is there any way someone on Linux who doesn't want to install non-free/illegal codecs can play back Creative Archive video?
;-)
Where's the Dirac version?
Gerv
I'm the person at the MoFo responsible for the trademark discussion with Debian. Please read my blog post on the subject to get the correct story.
I don't agree that punycode is a high spoofing risk, at least at the moment. OK, you can spoof www.xn--foopydoopygoopy.com with www.xn--foopydopygoopy.com, but what is there of value worth spoofing at www.xn--foopydoopygoopy.com?
.com start using IDN, then there'll be a risk. But hopefully they won't until .com sorts out its policies, because who wants to have their website showing up in browsers as www.xn--foopydoopygoopy.com ?
When high value sites in
"Anyone heard if Firefox is going to implement a true solution? Turning it off is just not acceptable."
:-) Turning them off was just a temporary measure. Our solution is basically the same as Opera's.
Calm down - the original poster is wrong.
"Firefox's solution was to turn off international domain names"
This is incorrect. We turned them off while working on a long-term fix, which is basically the same thing as Opera's.