After some discussion with folks on the NSS team, here's a proposal:
1) Add an item to the "To Be Discussed" section of https://wiki.mozilla.org/CA:CertPolicyUpdates#Consider_for_Version_2.3 to update Mozilla's CA Cert Policy to clarify which audit criteria are required depending on which trust bits are set. In particular, root certs with only the S/MIME trust bit set will have different audit criteria requirements than root certs with the Websites trust bit set.
2) Remove included root certs that only have the Code Signing trust bit enabled. To our knowledge, no one is using such root certs via the NSS root store.
Kathleen _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy