There are some other threads in this newsgroup about the criteria by which mozilla.org should choose to add root CAs to its built-in list of trusted CAs. Maybe there's a simpler solution.
Mozilla's built-in list contains a bunch of root CA certs, AND it contains trust information about each one, indicating for each cert whether it is trusted for SSL, for SMIME, for code signing, etc.
IIRC, today, the list contains only CAs that are trusted for at least one of those services. It does not presently include any CAs that are trusted for nothing. But there is no technical reason why it couldn't.
New root CAs could be added to the built-in list without any trust flags while mozilla.org decides whether to give trust or not.
Does that idea meet any needs? Whaddaya think?
-- Nelson B
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
