Frank Hecker wrote: > John Nagle wrote: >> As a user of SSL certificates in our SiteTruth system, which >> attempts to identify and rate the business behind a web site, we're >> concerned about CA reliability and trust. We've been using Mozilla's >> approved root cert list for our system, and are considering whether >> we should continue to do so. > > As a general point, I have never advocated having downstream licensees > of Mozilla code accept the default NSS root list as is, without doing > some due diligence on their own. There are lots of roots in that list > that are there for legacy reasons, and others that are not necessarily > of general interest (e.g., CAs operating within a single country or > region). I encourage you and other licensees to trim the root list to > meet your own needs and your own assessment of CAs.
If e.g. a Linux distributor wants to ship Firefox and trims the list of pre-installed trusted root CA certs is it still allowed to distribute the resulting code as Firefox? Ciao, Michael. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto