Mozilla CA Certificate Program Participants

[Kathleen Wilson]

As a result of some comments I’ve seen in this discussion forum, I would
like to explain why you see different people involved in different
aspects of Mozilla’s CA Certificate Program. The info below only
includes a small subset of the many people involved in the Mozilla CA
Certificate Program.

The information below may be found in these documents:

Mozilla Module Owners:
https://wiki.mozilla.org/Module_Owners_Activities_Modules

Mozilla CA Certificate Policy:
http://www.mozilla.org/projects/security/certs/policy/

Mozilla Policy for Handling Security Bugs (a.k.a. Security Policy):
http://www.mozilla.org/projects/security/security-bugs-policy.html

Security Group:
http://www.mozilla.org/projects/security/secgrouplist.html

Frank Hecker is the Owner of the Mozilla CA Certificate Policy and the
Security Policy. Frank is also a Peer of the CA Certificates Module.

I am the Owner of the CA Certificates Module, and a Peer of the Mozilla
CA Certificate Policy.

Mozilla’s active representatives in the CA/Browser Forum are Gerv
Markham and Sid Stamm. There are others from Mozilla, such as myself,
who frequently view the CA/Browser Forum discussions and we communicate
our opinions to Gerv and Sid.

The Mozilla CA Certificate Policy may only be updated by Frank or me. A
general description of how this happens is here:
https://wiki.mozilla.org/CA:CertPolicyUpdates#Process_for_Updating_the_Policy

As owner of the CA Certificates Module much of my work is described
here: https://wiki.mozilla.org/CA:How_to_apply.
In regards to root inclusion/update requests I verify information
provided by the CA, host the public discussion for the request, track
action items, recommend approval, approve (or not), create the
corresponding NSS and PSM bugs, etc.
I also maintain most of the wiki pages here:
https://wiki.mozilla.org/CA:Overview.

When a serious security-sensitive bug is reported, the Mozilla Policy
for Handling Security Bugs is followed
(http://www.mozilla.org/projects/security/security-bugs-policy.html). A
“security bug group” is pulled together as described in the Security
Policy document in the section called “Organizational structure for
handling security bugs.” The process for disclosure of security
vulnerabilities includes reaching consensus within the security bug
group, as described in the section called “Disclosure of security
vulnerabilities.” The person designated to publicly disclose information
must only disclose the information that the security bug group agreed
to; this person does not act alone.

I hope this helps clarify why you see different people involved in
different aspects of Mozilla’s CA Certificate Program.

Kathleen