Nelson B wrote [in part]: > > I previously wrote [also in part]: > > > A Mozilla Foundation policy has been drafted to address this > > issue. The policy provides for alternative approvals for root > > certificates, thus not tying Mozilla strictly to WebTrust. > > Approval of that policy is pending. > > That policy is mozilla's defacto policy now. Frank's draft policy, > in its various revisions, is the policy that has been followed for > the last year, and is the policy now being followed.
I believe that, until the Mozilla Foundation gives formal approval to the policy, Frank is approving only CA root certificates that have the WebTrust seal. This assumption is supported by the history of recent certificate approvals. The primary issue is trust. When a secure Web site is selected and the lock icon changes from open to closed, unsophisticated users trust that the Mozilla or Firefox browser has correctly identified and authenticated the site. Until CAcert's practices are reviewed, the Mozilla Foundation cannot risk its user base by installing CAcert's root certificate. This review has started even though the policy has not yet been reviewed. The review itself started using draft CAcert documents and cannot conclude until CAcert's own documents are in final form. In the meantime, all those demanding that CAcert's root certificate be installed in browsers can readily download and install it themselves in their own configurations. This way, the users are accepting all risks without creating any liability for the Mozilla Foundation. -- David E. Ross <URL:http://www.rossde.com/> I use Mozilla as my Web browser because I want a browser that complies with Web standards. See <URL:http://www.mozilla.org/>. _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
