I have just submitted a Mozilla CA certificate policy 1.0 release candidate to the Mozilla Foundation and mozilla.org staff for consideration as an official 1.0 policy. This version of the policy is basically the draft 12 version with two changes: I explicitly marked the policy as a release candidate. I made a minor change to the last sentence in clause 7 to clarify the meaning of the sentence. Here is the message I sent to mozilla.org staff recommending adoption of the policy. Note that I tried to distinguish between points on which there has been reasonable consensus (at least among the people who’ve commented on the policy throughout this process) and points on which no real consensus exists (at least in my opinion); I also tried to fairly characterize the nature of any remaining disagreements and indicate the implications for future policy. ...

I’ve just posted a new draft 12 of the proposed Mozilla CA certificate policy, and absent strong objections plan to submit this to the Mozilla Foundation for approval as a 1.0 policy. The two substantive changes in this draft are as follows: To address some of the concerns expressed about CAs issuing “duff” certificates (defined loosely as certificates that are dubious from a security or technical point of view) I’ve expanded clause 4 to add examples of certificate-related problems that might cause us to reject a CA’s application for inclusion or to consider removing an already-included CA certificate. ...

I’ve previously thought of Jamie Zawinski not just as an excellent hacker but also as a marketing talent, creator of the original mozilla.org “brand.” (Imagined conversation: “You know, these open source and free software types are all radical anarchists or Marxist hippies; they’ll really go for a brand image that reminds them of trashing a WTO meeting” “Well, Jamie, you’re the expert. . . .”) Now based on his “groupware bad” rant it turns out that JWZ is also a leading-edge corporate competitive strategist; maybe the people getting Harvard Business School MBAs could take a break and hang out at the DNA Lounge instead. ...

UPDATE 2023-03-27: This page is obsolete, as it refers to a prior version of this blog. However, it may be of historical interest. I recently experienced a strange problem with the Atom feed on my weblog. My weblog server is running on US Eastern time as the basic time zone, but the story dates in the Atom feed should be expressed in UTC/GMT; the atomfeed plugin has code that supposedly should do any necessary conversions. On my local test blog (running under OS X 10.3 using Perl 5.8.1) this worked fine, but on my real blog (running on Red Hat Enterprise Linux 3 using Perl 5.8.0) the dates in the Atom feed were incorrect; they were five hours earlier than what they should be, suggesting that they didn’t get converted to UTC/GMT. After some investigation this turned out to be due to non-portable code in the atomfeed plugin. ...

I happened to stumble upon a blog post by Jennifer Rice on “Love/Hate brand scores". She did a thoroughly unscientific comparison of common brands based on querying Google for “I love Foo” and “I hate Foo” (similar to Googlefight, but taking the idea a bit further). I’ve recomputed her results and included some brands and products of interest to us. Here’s the original Love/Hate brand score table, with all figures recomputed based on new searches (partly so I can understand exactly how she computed her results, and partly to get a consistent baseline for adding Firefox et.al. ); I’ve left the brands in the same order as in Rice’s table for ease of comparison. ...

I’ve posted a new draft 10 of the proposed Mozilla CA certificate policy. The only substantive changes are as follows: I changed the language on disclosure of financial compensation (i.e., of independent evaluators by CAs) to read “publicly disclose” as opposed to “fully and publicly disclose”; in other words, I dropped the word “fully.” I added a section discussing revision of the policy, and noting that such revision would be done only after public discussions (similar to what we’re doing now). ...

In the course of our discussing the proposed Mozilla CA certificate policy, Ian Grigg happened to ask about the existing Mozilla policy on handling security bugs and how we tried to forge a compromise between people advocating full disclosure of security bugs and people who were opposed to that. (Ian was interested in this because he and Adam Shostack have been blogging on the “economics of disclosure.”) I happened to look back at the Google archives of the discussions we had, and found some material that I thought was worth revising, reprinting, and commenting upon, especially for people who are not aware of how the current Mozilla policy came to be. ...

I’ve created a new draft 9 of the proposed Mozilla CA certificate policy. The main substantive changes are as follows: I extended the policy’s requirements to cover all CAs, not just new CAs. This puts existing CAs on notice that in the future we can (and I hope will) go back through the list of CA certificates already included in Mozilla-related products and decide whether or not particular CA certificates should continue to be included. ...

I’ve created a new draft 8 of the proposed Mozilla CA certificate policy. The main substantive changes are as follows: I changed references to “users” to clarify that we’re referring to users of the products distributed by the Mozilla Foundation through mozilla.org. I added a requirement for CA disclosure of business practices in the form of a Certification Practice Statement. Besides being a good idea in general, it’s typically the CPS that is referenced in auditor/evaluator reports, so it’s needed to provide a more complete picture of the CA’s conformance to whatever criteria are used to evaluate its operations. (For examples of Certification Practice Statements see my draft Mozilla CA certificate list.) ...

I’ve published a new draft of the proposed Mozilla CA certificate policy. For information on changes from the previous draft please see my posting in the netscape.public.mozilla.crypto newsgroup (aka the mozilla-crypto mailing list). (Note that I have not yet completed writing the accompanying FAQ, but will try to do so in the coming weeks.) This new draft is intended to replace the simple “WebTrust or equivalent” policy that I’ve been using recently when deciding whether or not to approve CAs for inclusion in Mozilla-related software. (This interim policy was based on Microsoft’s policy.) ...