The lead paragraph should encompass non-government super CAs, too. Furthermore, the policy should address certification authorities (CAs) and not their root certificates. Consider the following:
> Some CAs sign the certificates of subordinate CAs to show that they have > been accredited or licensed by the signing CA. Such signing CAs are > called Super-CAs, and their subordinate CAs must apply for inclusion > their own roots if any of the following apply ... Then, in the listed criteria, change "root CA" to either "subordinate CA" where a certification authority is meant or to "root certificate" where a certificate is meant. I would also add a prohibition against including the root certificate of any Super-CA. Finally, the wording cites "third-party subordinate CAs". I assume the Super-CA is the first-party. What is a "second-party subordinate CA"? -- David E. Ross <http://www.rossde.com/> On occasion, I filter and ignore all newsgroup messages posted through GoogleGroups via Google's G2/1.0 user agent because of spam, flames, and trolling from that source. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy