The mozilla.org CA certificate policy[0] states, in part:
"We require that all CAs whose certificates are distributed with our
software products provide some service relevant to typical users of our
software products."
We have interpreted this to include standard commercial CAs, other CAs
who sell certificates to anyone or almost anyone, and government-run
CAs. We have interpreted it to exclude CAs which are internal to a
business or organisation.
We have two outstanding applications for inclusion from CAs who
represent not a national government, but a regional government. They are
from the regional government of Catalonia, Spain[1] and the city
government of Vienna, Austria[2].
The inclusion of a CA incurs a cost - in time to evaluate the request
(and we do have a backlog), in download size, and in marginally
increased risk of a failure of the system by e.g. private key
compromise. We have to balance that against the expected usefulness of
the root certificate to our users.
We are, at this time, uncertain as to where and how to draw the line,
and so are putting the issue here for discussion. Options include, but
are not limited to, excluding all CAs serving less than a country,
including all CAs who apply, and shipping some certs in some builds and
not in others. Thoughts?
Please respect the Followup-To header.
Gerv
[0]
http://www.mozilla.org/projects/security/pki/nss/ca-certificates/policy.html
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=295474
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=295474
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
