Mozilla Certificate Policy (Proposed)

Version 0.2, February 9, 2004. Clarified that risks ("negative benefits") should be taken into account in decisions. Further emphasized that this represents personal opinions only at this time.

This is a draft document for public discussion. It reflects the personal opinions of the author, and does not necessarily represent the views of mozilla.org staff and the Mozilla Foundation.

Please post comments and questions to the netscape.public.mozilla.crypto newsgroup or the corresponding mozilla-crypto mailing list, or send them to the document author, Frank Hecker.

When distributing Mozilla and related software the Mozilla Foundation includes with such software a default certificate database containing X.509v3 certificates for various Certification Authorities (CAs). The certificates are marked in the database as being "trusted" for various purposes, so that Mozilla can use them automatically to verify certificates for SSL servers, S/MIME email users, etc., without having to ask Mozilla users for further permission or information.

This is the official Mozilla Foundation policy for certificates that it distributes with Mozilla and related software:

  1. The Mozilla Foundation will determine which certificates are included in versions of Mozilla and related software distributed through mozilla.org, based on the benefits and risks of such inclusion to Mozilla users and the Mozilla community.
  2. The Mozilla Foundation will not charge any fees to have a CA's certificate distributed with Mozilla.
  3. The Mozilla Foundation reserves the right to discontinue including any CA certificate in Mozilla, at any time and for any reason.
  4. The Mozilla Foundation will consider adding certificates for additional CAs to the default Mozilla certificate database upon request. The Mozilla Foundation requires that all such CAs:
    1. offer services to the general public, or otherwise provide some service relevant to Mozilla users or the Mozilla community;
    2. publish information about the CA and its policies and procedures; and
    3. provide CA certificate data in a form suitable for inclusion in Mozilla.
  5. To request that their certificates be added to the default database, CAs should send an email message to certificates@mozilla.org and apply to be considered for addition; the request should include links to the CA-related information and certificate data requested above. The Mozilla Foundation will take the information provided into account when deciding whether or not to include the certificate(s) in Mozilla as requested.

This policy applies only to the versions of Mozilla and other software distributed by the Mozilla Foundation; other entities distributing Mozilla and related software are free to adopt their own policies. In particular, under the terms of the Mozilla license(s) distributors of Mozilla and related software are permitted to add or delete certificates in the versions that they distribute, and are also permitted to modify the values of the "trust bits" on certificates in the default certificate database. As with other Mozilla modifications, by making such changes a distributor may affect its ability to use Mozilla trademarks in connection with its versions of the software; see the Mozilla trademark policy for more information.

Please see the Mozilla Certificate FAQ for more information about this policy and answers to related questions.