Mozilla

I’ve just posted a new draft 12 of the proposed Mozilla CA certificate policy, and absent strong objections plan to submit this to the Mozilla Foundation for approval as a 1.0 policy. The two substantive changes in this draft are as follows: To address some of the concerns expressed about CAs issuing “duff” certificates (defined loosely as certificates that are dubious from a security or technical point of view) I’ve expanded clause 4 to add examples of certificate-related problems that might cause us to reject a CA’s application for inclusion or to consider removing an already-included CA certificate. ...

I’ve previously thought of Jamie Zawinski not just as an excellent hacker but also as a marketing talent, creator of the original mozilla.org “brand.” (Imagined conversation: “You know, these open source and free software types are all radical anarchists or Marxist hippies; they’ll really go for a brand image that reminds them of trashing a WTO meeting” “Well, Jamie, you’re the expert. . . .”) Now based on his “groupware bad” rant it turns out that JWZ is also a leading-edge corporate competitive strategist; maybe the people getting Harvard Business School MBAs could take a break and hang out at the DNA Lounge instead. ...

I happened to stumble upon a blog post by Jennifer Rice on “Love/Hate brand scores". She did a thoroughly unscientific comparison of common brands based on querying Google for “I love Foo” and “I hate Foo” (similar to Googlefight, but taking the idea a bit further). I’ve recomputed her results and included some brands and products of interest to us. Here’s the original Love/Hate brand score table, with all figures recomputed based on new searches (partly so I can understand exactly how she computed her results, and partly to get a consistent baseline for adding Firefox et.al. ); I’ve left the brands in the same order as in Rice’s table for ease of comparison. ...

I’ve posted a new draft 10 of the proposed Mozilla CA certificate policy. The only substantive changes are as follows: I changed the language on disclosure of financial compensation (i.e., of independent evaluators by CAs) to read “publicly disclose” as opposed to “fully and publicly disclose”; in other words, I dropped the word “fully.” I added a section discussing revision of the policy, and noting that such revision would be done only after public discussions (similar to what we’re doing now). ...

In the course of our discussing the proposed Mozilla CA certificate policy, Ian Grigg happened to ask about the existing Mozilla policy on handling security bugs and how we tried to forge a compromise between people advocating full disclosure of security bugs and people who were opposed to that. (Ian was interested in this because he and Adam Shostack have been blogging on the “economics of disclosure.”) I happened to look back at the Google archives of the discussions we had, and found some material that I thought was worth revising, reprinting, and commenting upon, especially for people who are not aware of how the current Mozilla policy came to be. ...