I’ve created a new draft 9 of the proposed Mozilla CA certificate policy. The main substantive changes are as follows: I extended the policy’s requirements to cover all CAs, not just new CAs. This puts existing CAs on notice that in the future we can (and I hope will) go back through the list of CA certificates already included in Mozilla-related products and decide whether or not particular CA certificates should continue to be included. ...
I’ve created a new draft 8 of the proposed Mozilla CA certificate policy. The main substantive changes are as follows: I changed references to “users” to clarify that we’re referring to users of the products distributed by the Mozilla Foundation through mozilla.org. I added a requirement for CA disclosure of business practices in the form of a Certification Practice Statement. Besides being a good idea in general, it’s typically the CPS that is referenced in auditor/evaluator reports, so it’s needed to provide a more complete picture of the CA’s conformance to whatever criteria are used to evaluate its operations. (For examples of Certification Practice Statements see my draft Mozilla CA certificate list.) ...
I’ve published a new draft of the proposed Mozilla CA certificate policy. For information on changes from the previous draft please see my posting in the netscape.public.mozilla.crypto newsgroup (aka the mozilla-crypto mailing list). (Note that I have not yet completed writing the accompanying FAQ, but will try to do so in the coming weeks.) This new draft is intended to replace the simple “WebTrust or equivalent” policy that I’ve been using recently when deciding whether or not to approve CAs for inclusion in Mozilla-related software. (This interim policy was based on Microsoft’s policy.) ...
A while ago someone wrote to mozilla.org staff asking “What is the ECCN for Mozilla?” For that small fraction of the world’s population who knows what an ECCN is (an “Export Control Classification Number” for U.S. encryption export control regulations) and cares about what Mozilla’s ECCN happens to be, here’s the answer I gave. Note that this is not an “official” answer, but it’s the closest thing to it you’re likely to get. ...
I have published a new draft 5 of the proposed Mozilla CA certificate policy. For detailed line-by-line changes from the previous draft please see my posting in the netscape.public.mozilla.crypto newsgroup (aka the mozilla-crypto mailing list). (Note that I have not yet updated the accompanying FAQ, but will try to do so in the next few days. Unfortunately for various reasons I will have less free time during the holiday season than I would normally, so I can’t commit to getting this done right away.) ...