Entries for February 2005
Draft 11 of Mozilla CA certificate policy
I've just posted a new draft 11 of the proposed Mozilla CA certificate policy. The only substantive changes are as follows:
I strengthened the language in paragraph 4 to cover rejecting CA requests if we believe it's appropriate to do so.
I modified paragraph 6 to add a requirement relating to verification of certificate signing requests, and added a new paragraph 7 to describe minimum verification requirements for each type of certificate. (See below for more on this.)
I added a new paragraph 14 noting that the Mozilla Foundation will designate someone to handle CA requests, with mozilla.org staff being the "supreme court" for any disputes. ...
JWZ considered disruptive
I've previously thought of Jamie Zawinski not just as an excellent hacker but also as a marketing talent, creator of the original mozilla.org "brand". (Imagined conversation: "You know, these open source and free software types are all radical anarchists or Marxist hippies; they'll really go for a brand image that reminds them of trashing a WTO meeting" "Well, Jamie, you're the expert...") Now based on his "groupware bad" rant it turns out that JWZ is also a leading-edge corporate competitive strategist; maybe the people getting Harvard Business School MBAs could take a break and hang out at the DNA Lounge instead. ...
Patch for atomfeed plugin (UTC dates)
I recently experienced a strange problem with the Atom feed on my weblog. My weblog server is running on U.S. Eastern time as the basic time zone, but the story dates in the Atom feed should be expressed in UTC/GMT; the atomfeed plugin has code that supposedly should do any necessary conversions. On my local test blog (running under OS X 10.3 using Perl 5.8.1) this worked fine, but on my real blog (running on Red Hat Enterprise Linux 3 using Perl 5.8.0) the dates in the Atom feed were incorrect; they were five hours earlier than what they should be, suggesting that they didn't get converted to UTC/GMT. After some investigation this turned out to be due to non-portable code in the atomfeed plugin. ...
Feel the love: Love/Hate brand scores for Firefox, etc.
I happened to stumble upon a blog post by Jennifer Rice on "Love/Hate brand scores". She did a thoroughly unscientific comparison of common brands based on querying Google for "I love Foo" and "I hate Foo" (similar to Googlefight, but taking the idea a bit further). I've recomputed her results and included some brands and products of interest to us. ...
Draft 10 of Mozilla CA certificate policy
I've posted a new draft 10 of the proposed Mozilla CA certificate policy. The only substantive changes are as follows:
I changed the language on disclosure of financial compensation (i.e., of independent evaluators by CAs) to read "publicly disclose" as opposed to "fully and publicly disclose"; in other words, I dropped the word "fully".
I added a section discussing revision of the policy, and noting that such revision would be done only after public discussions (similar to what we're doing now). ...
Full disclosure: for and against
In the course of our discussing the proposed Mozilla CA certificate policy, Ian Grigg happened to ask about the existing Mozilla policy on handling security bugs and how we tried to forge a compromise between people advocating full disclosure of security bugs and people who were opposed to that. (Ian was interested in this because he and Adam Shostack have been blogging on the "economics of disclosure".) I happened to look back at the Google archives of the discussions we had, and found some material that I thought was worth revising, reprinting, and commenting upon, especially for people who are not aware of how the current Mozilla policy came to be. ...
Draft 9 of Mozilla CA certificate policy
I've created a new draft 9 of the proposed Mozilla CA certificate policy. The main substantive changes are as follows: ...
Draft 8 of Mozilla CA certificate policy
I've created a new draft 8 of the proposed Mozilla CA certificate policy. The main substantive changes are as follows: ...
Draft 7 of Mozilla CA certificate policy
I've published a new draft of the proposed Mozilla CA certificate policy. For information on changes from the previous draft please see my posting in the netscape.public.mozilla.crypto newsgroup (aka the mozilla-crypto mailing list).
(Note that I have not yet completed writing the accompanying FAQ, but will try to do so in the coming weeks.) ...