Comment 29 for bug 232340
Revision history for this message
|
|
#29 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
67d34a1
(Get the code!)
Any bug that requests that a CA cert be added to mozilla MUST have the
proposed new CA cert(s) attached to it. Otherwise, the requestor is
rudely asking the mozilla developers to find the cert to include it.
The American Institute of Certified Public Accountants, and their Canadian
equivalent, have jointly established a set of criteria for root CAs.
They have a program for testing CAs to see if they pass muster.
They "attest" (as opposed to certify, they're not a CA) that the third
party CA meets their standards. You can read more about this program here.
http://
Microsoft also uses this standard for CAs. You can read about that here:
http://
I have no opinion about the worthyness of the particular CA being proposed
in this bug. I don't know who it is yet. But my question would be:
Does webtrust "attest" to this CA?
I think that should be one of the criteria.
PKI is about TRUST. All root CAs that are trusted for (say) SSL service
are trusted EQUALLY for that service. If we let a single CA into mozilla's
list of trusted CAs, and they do something that betrays the publics' trust,
then there is a VERY REAL RISH that the public will lose ALL FAITH in the
"security" (the lock icon) in mozilla and its derivatives.
We don't want that to happen. If that happens, mozilla's PKI becomes
nothing more than a joke. If you want to see mozilla's PKI continue to
be taken seriously, you will oppose allowing un attested CAs into mozilla's
list of trusted root CAs.