All, So far there have been several good comments. Please keep them coming.
I want to take this opportunity just to clarify a few of things. First, it has been Mozilla's long-standing position that, "We believe that the best approach to safeguarding secure browsing is to work with CAs as partners, to foster open and frank communication, and to be diligent in looking for ways to keep our users safe." So, expect that we will take a well-thought and deliberate approach to this issue with Camerfirma. Second, many of the compliance issues have dealt with requirements applicable to server certificates, yet only two roots of the four trusted by Mozilla have the websites bit enabled. Chambers of Commerce Root – 2008 (Email and Websites) 063E4AFAC491DFD332F3089B8542E94617D893D7FE944E10A7937EE29D9693C0 Global Chambersign Root – 2008 (Email and Websites) 136335439334A7698016A0D324DE72284E079D7B5220BB8FBD747816EEBEBACA Chambers of Commerce Root (Email only) 0C258A12A5674AEF25F28BA7DCFAECEEA348E541E6F5CC4EE63B71B361606AC3 Global Chambersign Root (Email only) EF3CB417FC8EBF6F97876C9E4ECE39DE1EA5FE649141D1028B7D11C0B2298CED So there is another issue that needs to be considered, if distrust is chosen, whether to remove just the websites trust bit or to take action against all 4 roots, and if so, on what basis? (Also, note that Camerfirma has two other roots that are not included in the Mozilla trust store. They are the CHAMBERS OF COMMERCE ROOT – 2016 and the GLOBAL CHAMBERSIGN ROOT - 2016.) Thanks, Ben _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy