Mozilla Certificate FAQ (Proposed)

Version 0.2, February 9, 2004. Added question about information requested. Further emphasized that this represents personal opinions only at this time.

This is a draft document for public discussion. It reflects the personal opinions of the author, and does not necessarily represent the views of staff and the Mozilla Foundation.

Please post comments and questions to the netscape.public.mozilla.crypto newsgroup or the corresponding mozilla-crypto mailing list, or send them to the document author, Frank Hecker.

Details of the Mozilla Certificate Policy

How will the Mozilla Foundation decide whether or not to include a particular CA certificate?

As noted in the policy, our decision will be based on the benefits and risks of such inclusion to Mozilla users and the Mozilla community. We will judge such benefits and risks according to the following criteria, among others:

  • The end user functions made possible by the CA, and the manner in which the CA operates to support such functions. In particular, we will evaluate whether or not a CA operates in a manner likely to cause undue risk for Mozilla users.
  • The size of the CA's customer base and target market (i.e., the number of entities to which the CA has issued certificates or is likely to issue certificates).
  • The number of Mozilla users that communicate with or otherwise interact with the CA's customers. For example, a given CA might issue relatively few certificates, but those certificates might be issued to particular web sites used by a large number of Mozilla users.
  • Whether the CA serves a particular market of interest to all or part of the Mozilla user base. For example, a given CA might serve a country or geographic region within which we wish to promote localized Mozilla versions.
Can we pay the Mozilla Foundation to include our CA certificate in Mozilla?

No. The Mozilla Foundation will not charge fees to or accept fees from CAs whose certificates are selected for distribution with Mozilla and related software.

Why would the Mozilla Foundation discontinue including a CA certificate with Mozilla?

We can't anticipate all the reasons why we might discontinue including a CA certificate. We're simply putting CAs and others on notice that we might do so in the future if we ever felt such an action were necessary and appropriate.

What does the requirement to "offer services to the general public" mean?

We mean that the CA in question is a "public" CA that offers certificate-issuing services to any organizations and/or individuals willing to pay the CA's fees (if any) and accept the CA's terms of service. The Mozilla Foundation will not discriminate between public CAs that offer services to businesses (or other organizations) and CAs that offer services to individuals.

What does the requirement to "provide some service relevant to Mozilla users or the Mozilla community" mean?

To be written. Basically allows for exceptions, e.g., non-public CAs of interest to Mozilla developers, etc.

Will you consider including CA certificates for an organization's internal CA, or for a CA used for an organization's customers and/or suppliers?

In general, no. If a CA is used only to issue certificates for use within a given organization (a "private" or "internal" CA) then we would not see any real benefit to Mozilla users to including a CA certificate for that CA in Mozilla. A similar objection applies to CAs that are not purely internal but are still operated primarily in support of a particular organization's private business objectives (for example, a CA that issues certificates to that organization's suppliers and customers to facilitate selling to or buying from the organization in question).

Will you consider including CA certificates for CAs operated by academic or industry consortiums to issue certificates to consortium members?

Perhaps. We'll make our decision based on the potential benefit to Mozilla users and the Mozilla community, and this in turn will depend on the type of consortium it is and how "public" the consortium is (e.g., to what extent organizations and individuals in general may join the consortium). For example, if your consortium conducts scientific research, creates industry standards, or otherwise provides services that are of some public benefit then we would consider including your CA certificate in Mozilla, particularly if consortium membership were open to the general public (organizations and/or individuals) on reasonable terms.

Will you consider including CA certificates for CAs that are located outside the U.S., or for CAs that offer services only in particular geographic regions?

Yes in both cases. The Mozilla Foundation will not discriminate between CAs based on their location, and in particular will not discriminate between U.S.-based CAs and CAs based outside the U.S. (The only possible exception to this would be in cases where the Mozilla Foundation as a U.S.-based entity might be restricted in some way by U.S. laws. For example, it's not clear whether U.S. export control regulations would restrict the Mozilla Foundation from distributing CA certificates for CAs located in countries such as Cuba, North Korea, etc.)

We will also consider including CA certificates for CAs that offer services only in particular countries or other geographic regions (for example, a CA based in Japan that offers web server certificates only to Japanese companies). Even though such a CA's customers may be located only in a certain region, those customers (certificate holders) may communicate with others around the world. (For example, a web server with a certificate from a Japan-only CA may still receive connections from Mozilla users located outside Japan.)

We are a group that wants to operate our own CA to provide free certificates to others. Will you consider including our CA certificate in Mozilla?

Yes, if we feel it is of benefit to Mozilla users and would not cause undue risk to those users, and you otherwise meet the requirements outlined in the policy. The Mozilla Foundation will not discriminate between CAs operated by commercial companies and CAs operated by non-profit groups (whether formally incorporated or not), or between CAs that charge for their services and CAs that do not.

The two key criteria are whether your CA's services are of general benefit, and whether you appear to be operating your CA in a manner consistent with reasonable CA practices. Thus, for example, if your CA issues certificates only to you and your friends then we wouldn't see any general benefit to including your CA certificate in Mozilla. As another example, if you issued certificates for use in S/MIME secure email then we would expect your CA to attempt in some way to ensure that a certificate marked as being associated with a certain email address was issued only to a user who controlled that email account; otherwise you wouldn't be performing what we consider to be a basic function of a CA. Similarly, we would expect you to follow reasonable procedures to protect signing keys, ensure continuity of operations, and so on.

Exactly what information do we need to provide as part of the request to have our CA certificate included in Mozilla?

In genera we are looking for information that describes what your CA does and how it operates, in order that we may assess what benefits and risks are associated with including your CA certificate in Mozilla.

The requested information falls into the following general classes (note that if you are submitting requests for multiple certificates to be included, please provide information for all CAs associated with such certificates):

  • general information about your CA(s), including
    • a description of your organization
    • certificate-related services that you provide
    • target markets (e.g., industry sectors, customer groups, geographic regions, etc.)
    • contact information
  • published policy documents and related documents, such as
    • PKI disclosure statement (PDS), as discussed in Appendix A of the American Bar Association's draft PKI Assessment Guidelines
    • certificate policy (CP), as discussed in RFC 2527, "Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework"
    • certification practice statement (CPS), as discussed in the ABA "PKI Assessment Guidelines"
    • subscriber agreements and relying party agreements, as discussed in the ABA "PKI Assessment Guidelines"
  • other information relating to the operation of your CA, including
    • measures taken to ensure security of signing keys and related material
    • measures taken to ensure continuity of CA operations in the event of disasters or other adverse events
    • measures taken to inform customers and others of certificate revocation and other events affecting use of certificates issued by your CA(s), including published Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP) responders
  • any published third-party evaluations or endorsements of your CA and its policies and practices (e.g., WebTrust/AICPA)
  • any other information you wish the Mozilla Foundation to take into account when evaluating your request

Wherever possible please provide publicly-accessible URLs pointing documents in non-proprietary formats (e.g., as opposed to providing information in the form of Microsoft Word documents).

We may elect to publish submitted information for use by Mozilla users and others; please note any information which you consider to be proprietary and not for public release.