I would like to thank everyone for your constructive input on this topic. At the outset I stated a desire to ‘establish some objective criteria that can be measured and applied fairly’. While some suggestions have been made, no clear set of criteria has emerged. At the same time, we’ve heard the argument that our time would be better spent on raising the bar for all CAs in the program, regardless of their subjective value to typical users of our products.
Some thought was also given to applying unique technical criteria to new CAs, such as limiting certificate lifetime to 90 days or requiring ACME support. It was pointed out, however, that this favors incumbents and doesn’t drive improvement in the overall ecosystem. The conclusion from this discussion is that we will not attempt to restrict organizations from participating in the Mozilla CA program based on a judgement of their value to our users. We will continue to require applicants to demonstrate compliance with our policies, and reserve the right to deny membership to any CA at our discretion, e.g. because they have a documented pattern of misbehavior or we believe they intend to violate our policies. Here is a proposed update to the Mozilla Root Store Policy reflecting this decision: https://github.com/mozilla/pkipolicy/compare/master...inclusion-criteria?quick_pull=1 As always, comments are welcome. I intend to begin a discussion of the next version of the policy soon and will plan to include this change in it. - Wayne _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy