Comment 205 for bug 232340

Gerv and I were trying to add comments at the same time. His comments in large part duplicated what I wrote, so I'll skip repeating his points. However I did want to add one comment to supplement Gerv's:

(In reply to comment #161)
> Also - should CAs be required to seek approval - is there a problem with users
> requesting that CAs be added if the CA does not seek this approval? Shouldn't
> users of CACert and mozilla products be able to request the approval of the
> root cert?

As Gerv wrote, we've previously indicated that we will accept requests only from CAs, not from users; if users want a particular CA to be included then the users should contact the CA directly. Here some reasons we do this, besides the reasons Gerv mentioned:

1. As a matter of common courtesy, if a CA explicitly doesn't want its root
cert to be included then we should respect that wish.

2. If a CA is unresponsive to others' requests regarding whether or not it
wants to be included, then it is also very likely to be unresponsive to our
requests for the information we need to evaluate whether that CA meets our
policies.

3. Some CAs consider their root CA certs to be copyrighted material subject to
limitations on redistribution. By requiring that CAs explicitly ask us to
include their certs, and by explicitly making them aware of our policies on
inclusion, we help ensure that we have any necessary permissions from the CA,
and that the CA is fully aware of how their certs will be used (or not used, as
the case may be).