In the discussion of how to handle certain certificates that no longer meet CA/Browser Forum baseline requirements, Wayne asked for the "Reason that publicly-trusted certificates are in use" by the customers. This seems to imply that Mozilla has an opinion that the default should not be to use "publicly-trusted certificates". I've not seen this previously raised, so I want to better understand the expectations here and what customers should consider for their future plans.
Is the expectation that "publicly trusted certificates" should only be used by customers who for servers that are: - meant to be accessed with a Mozilla web browser, and - publicly accessible on the Internet (meaning the DNS name is publicly resolvable to a public IP), and - committed to complying with a 24-hour (wall time) response time certificate replacement upon demand by Mozilla? Is the recommendation from Mozilla that customers who want to allow Mozilla browsers to access sites but do not want to meet one or both of the other two use the Firefox policies for Certificates ( https://github.com/mozilla/policy-templates/blob/master/README.md#certificates ) to add a new CA to the browser? Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
