As I mentioned in my previous post about the new policy on CA certificates, one major issue is to what extent we should distinguish among the different types of certificates issued by different Certification Authorities, both in terms of the policy and also in terms of the SSL/TLS UI used in Firefox and other products. In today’s SSL/TLS certificate market CAs sell certificates with different claims as to the “assurance” of the certificate, but Firefox and other browsers have a “one UI fits all” approach, where any SSL/TLS connection to a web site receives the same UI treatment (the infamous padlock) regardless of how and to what extent the CA validates the holder of the site’s certificate. ...

Back in April 2005 I submitted a draft policy document to the Mozilla Foundation regarding how we determine which Certification Authorities (CAs) have root certificates included in Mozilla-based products distributed by the Foundation. Since that time a lot has happened; in particular the Mozilla Foundation reorganized to move its product development and distribution activities into the new Mozilla Corporation, and I took on a part-time position with the “new” Mozilla Foundation as Director of Policy. ...

UPDATE 2023-03-27: This page is obsolete, as it refers to a prior version of this blog. However, it may be of historical interest. After much struggle I’ve finally managed to get my blog to support comments and TrackBacks. (This is what I get for using “roll your own” blogging software.) I’ll blog some more later about how I did this, for any Blosxom users who happen to be interested; in the meantime please report any problems to me, either as comments on this post (if you’re able to) or via email. ...

In previous posts I’ve discussed the theory of disruptive innovation (sometimes referred to as disruptive technology) created by Clayton Christensen and his associates, whether Firefox is a disruptive innovation in the sense Christensen uses, and the value network for Firefox. In this post I discuss potential “asymmetric competition” between the Mozilla project and Microsoft; much of my discussion is in the context of Firefox and IE, but my comments are meant to encompass the project as a whole. ...

The Mozilla Foundation has just announced a reorganization in which it’s created a new wholly-owned subsidiary, the Mozilla Corporation. In this post I wanted to provide my thoughts about the reorganization, why it’s being done, and what I think it means for the Mozilla project and the Mozilla Foundation. Since my name was mentioned in the press release I thought I’d begin by very briefly describing my role in all this. As it happens it was almost eight years ago to the day that I became seriously involved with what eventually became the Mozilla project. Since then I’ve worked on a variety of Mozilla-related tasks as a volunteer, almost all of them involving policy issues and related activities. Recently I decided to participate even more actively in the Mozilla project, first by serving as chair of a committee advising the Mozilla Foundation board of directors concerning the reorganization, and now by taking a half-time position as director of policy for the Foundation. ...

On my old web site (in the pre-blog days) I had a page with brief reviews of various books and music. Now that my blog is up and (sort of) working I’ve decided to revive that practice. For my first entry I’ve chosen Petra Haden Sings: The Who Sell Out. I found out about this album from a story in the Washington Post, and was intrigued enough to check it out. As it happens I’d never bought or heard the original version of The Who Sell Out, so except for “I Can See for Miles and Miles” I was hearing every song for the first time. And there are some excellent songs on the album, of which my favorite at the moment is “I Can’t Reach You.” ...

In previous posts I discussed the basics of Clayton Christensen’s disruptive innovation theory and considered whether Firefox is a disruptive innovation. In this post I try to describe the ”value network” for Firefox, using Christensen’s definition: “[a firm’s] upstream suppliers; its downstream customers, retailers, and distributors; and its partners and ancillary industry players” (Seeing What’s Next, p. 63). I also discuss how the Firefox value network overlaps (or not) with the value networks of Microsoft and others. ...

In a previous post I discussed Clayton Christensen’s “disruptive innovation” theory (as popularized in The Innovator’s Dilemma and other books) and how it applied to the rise and fall of Netscape. In this post I turn to more recent events, and attempt to answer at least some of the five questions with which I ended previously: Is Firefox more of a sustaining innovation or a disruptive innovation? In what sense is the Mozilla project pursuing (or could pursue) disruptive strategies, whether based on low cost or competing against nonconsumption? ...

I have just submitted a Mozilla CA certificate policy 1.0 release candidate to the Mozilla Foundation and mozilla.org staff for consideration as an official 1.0 policy. This version of the policy is basically the draft 12 version with two changes: I explicitly marked the policy as a release candidate. I made a minor change to the last sentence in clause 7 to clarify the meaning of the sentence. Here is the message I sent to mozilla.org staff recommending adoption of the policy. Note that I tried to distinguish between points on which there has been reasonable consensus (at least among the people who’ve commented on the policy throughout this process) and points on which no real consensus exists (at least in my opinion); I also tried to fairly characterize the nature of any remaining disagreements and indicate the implications for future policy. ...

I’ve just posted a new draft 12 of the proposed Mozilla CA certificate policy, and absent strong objections plan to submit this to the Mozilla Foundation for approval as a 1.0 policy. The two substantive changes in this draft are as follows: To address some of the concerns expressed about CAs issuing “duff” certificates (defined loosely as certificates that are dubious from a security or technical point of view) I’ve expanded clause 4 to add examples of certificate-related problems that might cause us to reject a CA’s application for inclusion or to consider removing an already-included CA certificate. ...