Section 7.1 of the policy says that we reserve the right not to include
certificates from a CA which has:

"knowingly issue certificates that appear to be intended for fraudulent

There are a few problems with this.

* It's only in the inclusion section.
* It's really subjective - how could you prove a CA "knowingly" did this?

How can a CA tell a certificate "appears to be intended for fraudulent
use"? As bad actors don't set the "evil bit", the only way I can think
of that a CA might do this check is by looking at the domain name and
checking to see if it's anything like a "famous" brand. But Mozilla has
taken the position that we don't believe it's the responsibility of CAs
to police the domain name space.

We already have the power to chuck out misbehaving CAs, or not include
ones which are dodgy; we don't need this clause for that either.

So I propose removing it, and reformatting the section accordingly.

This is:


This is a proposed update to Mozilla's root store policy for version
2.5. Please keep discussion in this group rather than on Github. Silence
is consent.

Policy 2.4.1 (current version):
Update process:
dev-security-policy mailing list

Reply via email to