Comment 127 for bug 232340

    I'm executive director of the Mozilla Foundation, and have been involved with the CAcert issue since it first came up. Here's the current situation; please feel free to confirm this with people directly associated with CAcert:

    We have a formal policy on the criteria for accepting new CA certificates into Mozilla; see

    http://www.mozilla.org/projects/security/pki/nss/ca-certificates/policy.html

    This policy was deliberately written so that it would not unfairly exclude nonprofit initiatives like CAcert. However the policy does require CAs, include CAcert, to undergo some sort of independent evaluation of their operations, according to some set of reasonable written criteria. CAcert has come up with a set of written criteria, analogous to the WebTrust criteria mentioned in the policy, and I told them the criteria were acceptable. However they have not yet had any luck in finding a third party who could do an evaluation of CAcert according to those criteria.

    So the holdup right now has to do with CAcert completing an independent evaluation of their operations. The holdup has nothing to do with Time Warner, AOL, Netscape, or anything else. I'm just asking CAcert to conform to the same policy we require every other CA to conform to, a policy that CAcert representatives had lots of opportunities to comment on and influence.