I’ve published a new draft of the proposed Mozilla CA certificate policy. For information on changes from the previous draft please see my posting in the netscape.public.mozilla.crypto newsgroup (aka the mozilla-crypto mailing list).

(Note that I have not yet completed writing the accompanying FAQ, but will try to do so in the coming weeks.)

This new draft is intended to replace the simple “WebTrust or equivalent” policy that I’ve been using recently when deciding whether or not to approve CAs for inclusion in Mozilla-related software. (This interim policy was based on Microsoft’s policy.)

The motivations for the proposed new policy are as follows:

  • As a public organization and public project the Mozilla Foundation and the Mozilla project need to have a publicly-justifiable policy on how we decide whether or not to include particular CA certificates in Firefox, Thunderbird, etc. We can’t make decisions for reasons that we can’t explain or defend.

  • Since inclusion of CA certificates has security implications, the policy ultimately has to take into account the risk/benefit tradeoff to typical end users (in other words, people who don’t know anything about CAs and certificates, and who just accept the default configuration settings).

  • When it comes to judging security risks associated with CAs, we need some objective criteria that we can apply to CAs. Since Mozilla-related products embody a relatively traditional approach to how CAs and certificates work (in other words, we’re not trying to totally overturn the traditional PKI model behind SSL, S/MIME, etc. ), we might as well use existing published criteria that various people and organizations have developed for how CAs should operate.

  • However at the same time we want to provide some flexibility in which criteria we use and what exactly we require of CAs in terms of demonstrating conformance to those criteria, consistent with our goal of preserving and promoting choice and innovation on the Internet. So, for example, in the draft policy I’ve allowed for the possibility of approving CAs that have not taken the traditional route of paying for expensive audits through WebTrust and similar programs, as long we can otherwise satisfy ourselves that the CA is operating in a satisfactory manner.

Please provide comments and suggestions on the policy in n.p.m.crypto. Based on those comments I will try to make a final draft that I can submit to the Mozilla Foundation for approval.