Comment 51 for bug 232340

(In reply to comment #50)
> I would not ask Mozilla users to trust this (or any other certificate authority)
> without some assurance (beyond self assertions) that its practices do indeed
> meet the standards generally advocated for CAs.

Could you please be a little more specific about the "standards generally
advocated for CAs" - which you vaguely refer to - are?

Then, what should MF do with those CAs, already included today, that do not meet
those standards? Should their root certificates be removed from the next Mozilla
release (i.e. Mozilla 1.7)?

> This illustrates the need for a clear policy as requested in bug #233453.

Yes, I too support a "clear policy" (I guess!? ;-)). But, until such a policy is
in place, there is no reason to block all new CAs (or even existing CA's new
Root Certificates). Rather, once that "clear policy" is in place all the CAs,
even those already included in Mozilla today, must be scrutinized against them.
I guess this will not happen within the foreseable future; will it?

Theoreticising is always a good thing to start with, but to avoid a full stop,
until the ultimate solution eventually has been unaimously agreed on, there is
need for some pragmatism. By accepting new CA Root Certificates to be included,
in the meantime until a "clear policy" has been established, allows the new CAs
to *gain* their trust (this in opposite to have to "purchase" their "trust").