On Tue, Jan 16, 2018 at 3:45 PM, Wayne Thayer via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > I would like to open a discussion about the criteria by which Mozilla > decides which CAs we should allow to apply for inclusion in our root store. > > Section 2.1 of Mozilla’s current Root Store Policy states: > > CAs whose certificates are included in Mozilla's root program MUST: >> 1. provide some service relevant to typical users of our software >> products; >> > > Further non-normative guidance for which organizations may apply to the CA > program is documented in the ‘Who May Apply’ section of the application > process at https://wiki.mozilla.org/CA/Application_Process . The original > intent of this provision in the policy and the guidance was to discourage a > large number of organizations from applying to the program solely for the > purpose of avoiding the difficulties of distributing private roots for > their own internal use. > > Recently, we’ve encountered a number of examples that cause us to question > the usefulness of the currently-vague statement(s) we have that define > which CAs to accept, along a number of different axes: > [snip] > > There are many potential options for resolving this issue. Ideally, we > would like to establish some objective criteria that can be measured and > applied fairly. It’s possible that this could require us to define > different categories of CAs, each with different inclusion criteria. Or it > could be that we should remove the existing ‘relevance’ requirement and > inclusion guidelines and accept any applicant who can meet all of our other > requirements. > > With this background, I would like to encourage everyone to provide > constructive input on this topic.
Wayne, In the interest of transparency, I would like to add one more example to your list: * Amazon Trust Services is a current program member. Amazon applied independently but then subsequently bought a root from Go Daddy (obvious disclosure: Wayne was VP at Go Daddy at the time). So far there is no public path to bring Amazon a public key/CSR you generate on you own server and have Amazon issue a certificate containing that public key. The primary path to getting a certificate issued by Amazon is to use AWS Certificate Manager. That being said, we have issued certificates to hundreds of thousands of domains and Mozilla telemetry data shows they are being widely used by users of Mozilla software products. Thanks, Peter P.S. I'm very much looking forward to the Firefox ESR 60 release, as that will mark Amazon inclusion for EV in all Mozilla products. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
