All,
Thank you for your patience throughout this long discussion. I
appreciate all of your thoughtful and constructive input.
I feel confident now that we should do the following:
1) Remove reference to the code signing trust bit from version 2.3 of
Mozilla's CA Certificate Policy.
2) When version 2.3 is published, also remove reference to the code
signing trust bit from CA-program related wiki pages.
3) After version 2.3 of the policy is published and the change has been
properly communicated (CA Communication, security blog, press regarding
the policy update), turn off the Code Signing trust bits for included
root certs, and remove any root certs that are left will all trust bits
turned off.
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
