Lots of Enterprises and organizations have very legitimate requirements to add their own internal root CA to the NSS store. In fact, Mozilla even answers the question of how to do this: https://wiki.mozilla.org/CA:FAQ#How_do_I_import_a_root_cert_into_NSS_on_our_organization.27s_internal_servers.3F
What type of "signing" of these internal Root certificates should be required? On Monday, February 23, 2015 at 2:40:15 PM UTC-7, John Nagle wrote: > With the Lenovo and Comodo disclosures, the restrictions > on loading new certificates into Firefox clients need to be tightened. > > Add-on policy is moving to a new system where add-ons cannot be > added to a production version of Firefox without approval from AMO. > SSL certificates should get the same treatment. If you can't install a > new add-on unless it's been signed by AMO, why should you be able to > install a new SSL certificate without having it signed? > > John Nagle > SiteTruth _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
