A few months ago, we discussed our root inclusion criteria , and came to
a conclusion that I summarized and proposed in policy as follows:
I would like to thank everyone for your constructive input on this topic.
> At the outset I stated a desire to ‘establish some objective criteria that
> can be measured and applied fairly’. While some suggestions have been made,
> no clear set of criteria has emerged. At the same time, we’ve heard the
> argument that our time would be better spent on raising the bar for all CAs
> in the program, regardless of their subjective value to typical users of
> our products.
> Some thought was also given to applying unique technical criteria to new
> CAs, such as limiting certificate lifetime to 90 days or requiring ACME
> support. It was pointed out, however, that this favors incumbents and
> doesn’t drive improvement in the overall ecosystem.
> The conclusion from this discussion is that we will not attempt to restrict
> organizations from participating in the Mozilla CA program based on a
> judgement of their value to our users. We will continue to require
> applicants to demonstrate compliance with our policies, and reserve the
> right to deny membership to any CA at our discretion, e.g. because they
> have a documented pattern of misbehavior or we believe they intend to
> violate our policies.
> Here is a proposed update to the Mozilla Root Store Policy reflecting this
Having just reviewed this again, I recommend that we also remove the word
“typical” from section 2.1(1) of the policy that reads:
CAs whose certificates are included in Mozilla's root program MUST:
> 1. provide some service relevant to typical users of our software
This is: https://github.com/mozilla/pkipolicy/issues/118
This is a proposed update to Mozilla's root store policy for version
2.6. Please keep discussion in this group rather than on GitHub. Silence
Policy 2.5 (current version):