Comment 64 for bug 232340

(In reply to comment #63)
> This is about control of the root certificates that will ship
> with the browser by default (and not disabled in any way).

Indeed. Mozilla should definitely have a policy of some sort (or a checklist of
minimum requirements from CAs, at the very least), and/or provide the means for
others to exercise their own policies by means of a "deployment toolkit" of some
sort, as one possible way to do it.

The bottom line, however, is that in the corporate environment (e.g. for
corporate Intranet certificates) nothing is stopping you from creating your own
custom certificate collection for Mozilla and deploying it to all your end-users
(essentially forcing it upon them). Unfortunately you can't do that to the
entire world. ;)

> People don't want their users to get confused by the popup
> dialog that the website they are accessing is not recognized!

Not really... What was suggested is that some CA root certs ship "flagged" (i.e.
not trusted out of the box). That way, if a user connects to a web server with
an SSL cert signed by a "flagged" root cert, they will be prompted.

To a user it makes absolutely no difference: they see a popup either way
(whether the root cert is included and flagged or not included at all). If they
choose to "always trust it" in the latter case, the certificate will be stored
in that user's certificate manager, which automatically will make it trusted (as
far as I understand). From the point of view of PKI, this is *bad*, because
ideally one is supposed to get the *root* certificate in their certificate
manager, so that any certificates that are signed by that root cert will
implicitly become trusted and won't have to be added in manually.