Quantifying the Value of Adding a New CA

Skip to first unread message

Ben Wilson

May 10, 2021, 7:13:55 PM5/10/21
to dev-secur...@mozilla.org

Kathleen and I would like your input on how we should quantify the value of adding a new CA. 

Also, as part of this effort and in response to the public discussions for root inclusion by TunTrust and iTrusChina, I have created a draft for a new wiki page that would outline some of the questions that first-time root inclusion applicants ought to answer. 

We look forward to your comments and suggestions on what other questions to ask, or how to re-phrase what I've written, so that we can better indicate the kinds of details we want in the answers we receive.


Syrine Tlili

May 11, 2021, 5:22:17 PM5/11/21
to dev-secur...@mozilla.org, bwi...@mozilla.com
Hi All

Thank you Ben for this document, it helps us understand the information you need to get from us to process our application.
We will start working on these questions and will follow up to provide you with any additional information.


Ben Wilson

May 18, 2021, 4:59:05 PM5/18/21
to dev-secur...@mozilla.org
I haven't received any comments on the document mentioned in my original post. In line with Mozilla practice, I've converted the document into a wiki page -
https://wiki.mozilla.org/CA/Quantifying_Value. It will be linked to the Application Process page as an extension of what is written under Who May Apply.
As always, we are still open to feedback from the community.
Meanwhile, I suppose that I should direct TunTrust and iTrusChina to the wiki page and ask that they provide this information.

Ben Wilson

May 20, 2021, 5:57:12 PM5/20/21
to dev-secur...@mozilla.org, syrine...@tuntrust.tn, Ben Wilson
Thanks, Syrine

yutian zheng

May 26, 2021, 4:25:56 AM5/26/21
to dev-secur...@mozilla.org, bwi...@mozilla.com, syrine...@tuntrust.tn

Hi Ben,

We are working on these questions and will provide you with this information in few days.

Yutian Zheng
iTrusChina Co.,Ltd.

Nick Lamb

Jun 6, 2021, 6:53:26 PM6/6/21
to dev-secur...@mozilla.org
On Mon, 10 May 2021 17:13:41 -0600
Ben Wilson <bwi...@mozilla.com> wrote:

> All,
> Kathleen and I would like your input on how we should quantify the
> value of adding a new CA.

Hello Ben and Kathleen,

Thank you for the wiki page. Although it's valuable to ask CAs to
explain why they should be included I think it will also be valuable
for Mozilla and other root trust stores to think about what *they* want
to achieve in terms of how many or few trusted CAs and whether there are
particular traits those CAs must or should have or which Mozilla
explicitly should not care about.

For example I expect we all agree that *one* CA is too few but is *ten*
too few, or is that perhaps satisfactory?

A million obviously feels like too many. Just managing the paperwork
would take a far larger team than yourselves even with CCADB. But is a
*thousand* also too many?


For traits I'm thinking about things like: Do we want diversity in
terms of where geographically the responsible entity is, so that
Mozilla would prefer a new Russian CA over yet another Californian one?

Do we want diversity in funding models, so Mozilla would prefer to see
a mix of government agencies, non-profits, listed companies etc ? Or
are some models preferred over others?

Do we want to see diversity inside the CA entities themselves. Does it
matter to Mozilla whether executives at a CA are women, minorities,
disabled, etc ? Or is this definitively a matter for the CA not Mozilla?

Do we want to see Certificate Authorities that are excited to dip their
toes into new opportunities? Is a CA preferred if they're sponsoring a
TLS Working Group experiment that injects a novel OID into X.509 certs,
or contrariwise is such adventurousness exactly what we don't want to
see from a reliable CA?


Finally, there may already be policy about this, but it seems to me that
the discussions and supporting evidence are different between perhaps
three scenarios:

1. An existing trusted CA wants to replace a root, with an explicit
intent to retire some existing root, either one expected to expire soon
or for other reasons.

I see this scenario as mostly about technical checks. We already trust
these people and this does not multiply Mozilla's problems. I think
Mozilla should express a general intent to issue in these cases
*despite* retaining the legal right to do whatever it wants.

2. An existing trusted CA wants to mint a new root to add to their

Unlike (1) this does increase the overhead for Mozilla, and it incurs
an ongoing additional trust burden so it seems appropriate to gather
community feedback, if any, about the change and seek a justification
beyond "We want to do this and we're trusted" for why this ought to be
a new trusted root.

3. An entity not previously trusted by Mozilla wants to join the root

This clearly requires the most scrutiny, the most justification from an
applicant, and the most in-depth discussion before accepting a new
CA. This is the category where I believe the questions I had above for
Mozilla (and other trust stores) matter, to guide us as much as the
answers from the applicant.

Reply all
Reply to author
0 new messages