I’ve been working on the Mozilla CA certificate policy for some time now. I’ve created a “metapolicy” to help guide how the final policy should look. Note that the metapolicy doesn’t address any of the truly hard issues, like how to evaluate Certificate Authorities that haven’t undergone WebTrust audits or other independent audits. That will have to wait for future work (and time for me to do it).

In the meantime I’ve been following a simple interim policy, one that is basically equivalent to Microsoft’s policy: I’m approving CAs that have successfully passed a WebTrust for CAs audit, or an audit that (in my judgement) is “WebTrust equivalent.”