A few months ago, we discussed our root inclusion criteria [1], and came to a conclusion that I summarized and proposed in policy as follows:
I would like to thank everyone for your constructive input on this topic. > At the outset I stated a desire to ‘establish some objective criteria that > can be measured and applied fairly’. While some suggestions have been made, > no clear set of criteria has emerged. At the same time, we’ve heard the > argument that our time would be better spent on raising the bar for all CAs > in the program, regardless of their subjective value to typical users of > our products. > > Some thought was also given to applying unique technical criteria to new > CAs, such as limiting certificate lifetime to 90 days or requiring ACME > support. It was pointed out, however, that this favors incumbents and > doesn’t drive improvement in the overall ecosystem. > > The conclusion from this discussion is that we will not attempt to restrict > organizations from participating in the Mozilla CA program based on a > judgement of their value to our users. We will continue to require > applicants to demonstrate compliance with our policies, and reserve the > right to deny membership to any CA at our discretion, e.g. because they > have a documented pattern of misbehavior or we believe they intend to > violate our policies. > > Here is a proposed update to the Mozilla Root Store Policy reflecting this > decision: > > https://github.com/mozilla/pkipolicy/compare/master... > inclusion-criteria?quick_pull=1 > Having just reviewed this again, I recommend that we also remove the word “typical” from section 2.1(1) of the policy that reads: CAs whose certificates are included in Mozilla's root program MUST: > 1. provide some service relevant to typical users of our software > products; > This is: https://github.com/mozilla/pkipolicy/issues/118 and https://github.com/mozilla/pkipolicy/issues/104 [1] https://groups.google.com/d/msg/mozilla.dev.security. policy/GbXvh9ulboI/DWdJUc_cAQAJ ------- This is a proposed update to Mozilla's root store policy for version 2.6. Please keep discussion in this group rather than on GitHub. Silence is consent. Policy 2.5 (current version): https://github.com/mozilla/pkipolicy/blob/2.5/rootstore/policy.md _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
