Version 0.2, February 9, 2004. Clarified that risks ("negative benefits") should be taken into account in decisions. Further emphasized that this represents personal opinions only at this time.
This is a draft document for public discussion. It reflects the personal opinions of the author, and does not necessarily represent the views of mozilla.org staff and the Mozilla Foundation.
When distributing Mozilla and related software the Mozilla Foundation includes with such software a default certificate database containing X.509v3 certificates for various Certification Authorities (CAs). The certificates are marked in the database as being "trusted" for various purposes, so that Mozilla can use them automatically to verify certificates for SSL servers, S/MIME email users, etc., without having to ask Mozilla users for further permission or information.
This is the official Mozilla Foundation policy for certificates that it distributes with Mozilla and related software:
This policy applies only to the versions of Mozilla and other software distributed by the Mozilla Foundation; other entities distributing Mozilla and related software are free to adopt their own policies. In particular, under the terms of the Mozilla license(s) distributors of Mozilla and related software are permitted to add or delete certificates in the versions that they distribute, and are also permitted to modify the values of the "trust bits" on certificates in the default certificate database. As with other Mozilla modifications, by making such changes a distributor may affect its ability to use Mozilla trademarks in connection with its versions of the software; see the Mozilla trademark policy for more information.
Please see the Mozilla Certificate FAQ for more information about this policy and answers to related questions.