Comment 130 for bug 232340

I developed a checklist for an independent review of certificate authorities (CAs) in alignment with the new policy but distinct from a WebTrust audit. The checklist is in the form of a list of requirements with a trace to the WebTrust criteria. Frank Hecker reviewed my checklist and offered suggestions, which I incorporated.

With the approval of Hecker, I started a review of the CACert "Certificate Policy" based on my checklist. That review uncovered some deficiencies, which CACert has endeavored to correct. I became distracted from further review by my appointment to my county's Grand Jury (a year's assignment with a second year's extension), so I turned my notes over to another reviewer.

The primary issue is trust. If Mozilla includes a CA's root certificate, Mozilla implies that the rest of us should trust that certificate. My initial review of CACert's "Certificate Policy" did not give me a good feeling about trusting them. The start of my second review was more positive, but I did not complete that effort.

Several of those who have commented here appear dissatisfied with the Mozilla process for approving CAs and their root certificates. If you don't care about a thorough review of a certificate authority, you are free to go to <http://www.cacert.org/certs/root.crt>, download CACert's root certificate, and install it on your own PC. You would then bypass Mozilla, take control of the situation, and assume any risks. If you don't want to assume the risk that a CA is negligent or outright incompetent to control the use of its root certificate, however, don't ask Mozilla to assume that risk (and thus risk a lawsuit when someone loses money as the result of trusting an untrustworthy CA) without a thorough review.

By the way, comments here should be limited to technical issues and status reports. Flame wars, conspiracy theories, etc are not appropriate.