Policy Update Proposal -- Remove Email Trust Bit

Tue, 13 Oct 2015 08:06:11 -0700 

All,
Many people have contacted me because they heard that Mozilla is considering removing the Email trust bit, and they ask that we keep the Email trust bit because they use the root certs in Mozilla's root store (NSS) with the Email trust bit enabled in current and future projects/products/applications. Gerv has provided some data from CAs in support of this. [1] 


Based on this discussion[2] and all of the input that I have received, I 
believe that we should keep the Email trust bit.



However, this discussion has surfaced the valid concerns that we need 
resource commitment to improve the policy and practices supporting the 
Email trust bit.


Here's what I think the person/people would do for S/MIME roots/certs:
1) Maintain and improve the code in NSS supporting S/MIME.

2) Become an expert in this area, learning about and providing 
information about how different countries, organizations, enterprises, 
and companies are depending on certs chaining up to publicly-trusted 
root certs that have the Email trust bit enabled.
3) Improve policies and requirements for CAs in the NSS root store with 
the Email trust bit enabled. This includes determining which audit 
criteria are required, and which auditors may be used.
4) Review each of the root inclusion/change requests for roots with the 
Email trust bit to be enabled, and provide feedback in 
mozilla.dev.security.policy.
5) Contribute to the decisions about whether or not to approve each 
request to enable the Email trust bit.



I believe that such a resource commitment would satisfy all of the 
arguments against the Email trust bit that Ryan so eloquently 
summarized. [3]


Is this a fair assessment?

Is there anything else that should be added to the "job description" above?

Thanks,
Kathleen

[1]https://groups.google.com/d/msg/mozilla.dev.security.policy/atSYV_QPPFA/3NRrmmwBAgAJ
https://groups.google.com/d/msg/mozilla.dev.security.policy/atSYV_QPPFA/9QRe7JlSAwAJ


[2] 
https://groups.google.com/d/msg/mozilla.dev.security.policy/atSYV_QPPFA/M6OpyA5FBAAJ



[3] 
https://groups.google.com/d/msg/mozilla.dev.security.policy/atSYV_QPPFA/ycC96j6PBAAJ



_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy























					Reply via email to