TriNetre - Archive for July 01, 2005

(no longer updated)

Ian Grigg at Financial Cryptography accuses Mozilla Foundation of not coming clean and open about its recent discussions with commercial CAs.

So it was with sadness that I discovered that the Mozilla Foundation had entered into the smoke filled rooms of secret negotiations for security changes. These negotiations are apparently over the security User Interface. It involves some other browser manufacturers - Microsoft was mentioned - and some of the CAs - Verisign has not been mentioned that I have heard.

There is no doubt that Mozilla has walked into an agenda capture process. It specifically excluded one CA, CACert.org, for what appears to be competitive reasons. Microsoft enters these things frequently for the purposes of a) knowing what people are up to, and b) controlling them. (Nothing wrong with that, unless you aren't Microsoft.) At least one of the participants in the process is in the throes of selling a product to others, one that just happens to leave itself in control. The membership itself is secret, as are the minutes, etc etc.

Frank Hecker tries to clarify in his comments that the discussions were initiated by "traditional commercial CAs" and "every CA that's not in the stated business of selling SSL certs to ecommerce businesses" was excluded from that meeting. Not sure whether that was supposed to clam us!

Why has Mozilla foundation engaged itself in a discussion with a group of commercial CAs without making the minutes of these meetings public? What, if any, decisions were made during the meeting? What, if any, decisions were taken regarding any aspect of Mozilla's product (Firefox, Mozilla suite, Thunderbird etc.) implementation that was directly or indirectly influenced by this closed door meeting with commercial CAs?

It is rather strange for an organization that was set up to "provide organizational, legal, and financial support for" an open source project to be so closed. Is something cooking?