Version 0.2, February 9, 2004. Added question about information requested. Further emphasized that this represents personal opinions only at this time.
This is a draft document for public discussion. It reflects the personal opinions of the author, and does not necessarily represent the views of mozilla.org staff and the Mozilla Foundation.
As noted in the policy, our decision will be based on the benefits and risks of such inclusion to Mozilla users and the Mozilla community. We will judge such benefits and risks according to the following criteria, among others:
No. The Mozilla Foundation will not charge fees to or accept fees from CAs whose certificates are selected for distribution with Mozilla and related software.
We can't anticipate all the reasons why we might discontinue including a CA certificate. We're simply putting CAs and others on notice that we might do so in the future if we ever felt such an action were necessary and appropriate.
We mean that the CA in question is a "public" CA that offers certificate-issuing services to any organizations and/or individuals willing to pay the CA's fees (if any) and accept the CA's terms of service. The Mozilla Foundation will not discriminate between public CAs that offer services to businesses (or other organizations) and CAs that offer services to individuals.
To be written. Basically allows for exceptions, e.g., non-public CAs of interest to Mozilla developers, etc.
In general, no. If a CA is used only to issue certificates for use within a given organization (a "private" or "internal" CA) then we would not see any real benefit to Mozilla users to including a CA certificate for that CA in Mozilla. A similar objection applies to CAs that are not purely internal but are still operated primarily in support of a particular organization's private business objectives (for example, a CA that issues certificates to that organization's suppliers and customers to facilitate selling to or buying from the organization in question).
Perhaps. We'll make our decision based on the potential benefit to Mozilla users and the Mozilla community, and this in turn will depend on the type of consortium it is and how "public" the consortium is (e.g., to what extent organizations and individuals in general may join the consortium). For example, if your consortium conducts scientific research, creates industry standards, or otherwise provides services that are of some public benefit then we would consider including your CA certificate in Mozilla, particularly if consortium membership were open to the general public (organizations and/or individuals) on reasonable terms.
Yes in both cases. The Mozilla Foundation will not discriminate between CAs based on their location, and in particular will not discriminate between U.S.-based CAs and CAs based outside the U.S. (The only possible exception to this would be in cases where the Mozilla Foundation as a U.S.-based entity might be restricted in some way by U.S. laws. For example, it's not clear whether U.S. export control regulations would restrict the Mozilla Foundation from distributing CA certificates for CAs located in countries such as Cuba, North Korea, etc.)
We will also consider including CA certificates for CAs that offer services only in particular countries or other geographic regions (for example, a CA based in Japan that offers web server certificates only to Japanese companies). Even though such a CA's customers may be located only in a certain region, those customers (certificate holders) may communicate with others around the world. (For example, a web server with a certificate from a Japan-only CA may still receive connections from Mozilla users located outside Japan.)
Yes, if we feel it is of benefit to Mozilla users and would not cause undue risk to those users, and you otherwise meet the requirements outlined in the policy. The Mozilla Foundation will not discriminate between CAs operated by commercial companies and CAs operated by non-profit groups (whether formally incorporated or not), or between CAs that charge for their services and CAs that do not.
The two key criteria are whether your CA's services are of general benefit, and whether you appear to be operating your CA in a manner consistent with reasonable CA practices. Thus, for example, if your CA issues certificates only to you and your friends then we wouldn't see any general benefit to including your CA certificate in Mozilla. As another example, if you issued certificates for use in S/MIME secure email then we would expect your CA to attempt in some way to ensure that a certificate marked as being associated with a certain email address was issued only to a user who controlled that email account; otherwise you wouldn't be performing what we consider to be a basic function of a CA. Similarly, we would expect you to follow reasonable procedures to protect signing keys, ensure continuity of operations, and so on.
In genera we are looking for information that describes what your CA does and how it operates, in order that we may assess what benefits and risks are associated with including your CA certificate in Mozilla.
The requested information falls into the following general classes (note that if you are submitting requests for multiple certificates to be included, please provide information for all CAs associated with such certificates):
Wherever possible please provide publicly-accessible URLs pointing documents in non-proprietary formats (e.g., as opposed to providing information in the form of Microsoft Word documents).
We may elect to publish submitted information for use by Mozilla users and others; please note any information which you consider to be proprietary and not for public release.