On 21/10/14 10:06, Anne van Kesteren wrote: > This seemed like a good suggestion and based on what Ryan and Brian > said I added this question to the FAQ: > > https://wiki.mozilla.org/CA:FAQ#Can_I_use_Mozilla.27s_set_of_CA_certificates.3F
Anne wrote: "The decisions Mozilla makes with regards to the inclusion of CA certificates is directly tied to the capabilities and behaviors of the software Mozilla distributes. It would therefore be irresponsible to bundle Mozilla's set of CA certificates with other software." I don't agree with that. I think Ryan's "caveat embeddor" is a much better way to put it. I would say something like: "The decisions Mozilla makes with regards to the inclusion or exclusion of CA certificates in its root store are directly tied to the capabilities and behaviours of the software Mozilla distributes. Sometimes, a security change is made wholly or partly in the software instead of the root store. Further, Mozilla does not promise to take into account the needs of other users of its root store when making such decisions. Therefore, anyone considering bundling Mozilla's root store with other software needs to be aware of the issues surrounding providing a root store, and committed to making sure that they maintain security for their users by carefully observing Mozilla's actions and taking appropriate steps of their own. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
