Comment 76 for bug 232340

I am merely an interested techie with no connections to cacert or MF.
I can see the concerns of some who are apprehensive of undermining mozilla's
standing in the "community" and possibly the whole CA/ssl infrastructure.

cacert is also justified in its frustration at having no path through which it
can gain the inclusion of its root certificate, or even a set of viable
requirements it can work towards.

Personally I think their certificate should be included as long as:

1. Their hardware/network is hosted at an independant site at which 3 of their
board/team/authorised people have secure access.
(By independant I mean a location at which no one person with access has a
greater vested interest in than another - which rules out their respective
employers, partners employers etc.)

2. Their management/board structure is transparent with decisions requiring a
minimum of three people, and clear policies/procedures for ensuring the equal
distribution of power between board members

3. CaCert have clear policies/procedures for natural changes in board membership
and also policies/procedures for the removal of board members who have acted in
bad faith.

Whether cacert meets or surpasses these requirements I dont know but reading all
the other peoples posts, it appears that their technical implementation was not
the major concern, but more the trust element. The above suggestions are merely
designed to foster that trust at MF
Which in a nutshell is the whole point of being a certificate authority.

I believe the issue is worth re-examining as firefox 1.0 and thundebird 1.0 are
out of the door, and people at MF may have the time to look at the issues involved.
Feel free to disagree with anything I've said

Thanks Gersh
NB My views only apply to the cacert situation, other CA's would possibly need
to be looked at completely differently, once again its back to MF drafting a
clear policy on the issue for the future.