From MozillaWiki
< CA
Jump to: navigation, search

This page is a snapshot of a previous version of Mozilla's CA Certificate Policy. Click here to view Mozilla's Current CA Certificate Policy.

Mozilla CA Certificate Policy (Proposed)

Version 0.4, March 30, 2004. Added stipulation that decisions will be based on documented, objective, verifiable criteria; the actual criteria themselves will be included in another document, most likely the FAQ on policy details, not in the policy itself. Also noted that requests can be submitted via bugzilla as an alternative to email.

This is a draft document for public discussion. It reflects the personal opinions of the author, and does not necessarily represent the views of staff and the Mozilla Foundation.

Please post comments and questions to the netscape.public.mozilla.crypto newsgroup or the corresponding mozilla-crypto mailing list, or send them to the document author, Frank Hecker.

When distributing Mozilla and related software the Mozilla Foundation includes with such software a default set of X.509v3 certificates for various Certification Authorities (CAs). The certificates included by default are marked as being "trusted" for various purposes, so that Mozilla can use them automatically to verify certificates for SSL servers, S/MIME email users, etc., without having to ask Mozilla users for further permission or information.

This is the official Mozilla Foundation policy for certificates that it distributes with Mozilla and related software:

  1. The Mozilla Foundation will determine which certificates are included in versions of Mozilla and related software distributed through, based on the benefits and risks of such inclusion to typical Mozilla users. The decisions will be made through a public process and will be based on objective and verifiable criteria.
  2. The Mozilla Foundation will not charge any fees to have a CA's certificate distributed with Mozilla.
  3. The Mozilla Foundation reserves the right to discontinue including any CA certificate in Mozilla, at any time and for any reason.
  4. The Mozilla Foundation will consider adding certificates for additional CAs to the default Mozilla certificate set upon request. The Mozilla Foundation requires that all such CAs:
    1. provide some service relevant to typical Mozilla users;
    2. publish information about the CA and its policies and procedures; and
    3. provide CA certificate data in a form suitable for inclusion in Mozilla.
  5. To request that their certificates be added to the default database, CAs should send an email message to and apply to be considered for addition; the request should include links to the CA-related information and certificate data requested above. (Requests can also be submitted by entering a bug report. May need more details here, e.g., what component to file bug against; could put this into the FAQ instead) The Mozilla Foundation will take this and other information provided into account when deciding whether or not to include the certificate(s) in Mozilla as requested.

This policy applies only to the versions of Mozilla and related software distributed by the Mozilla Foundation; other entities distributing Mozilla and related software are free to adopt their own policies. In particular, under the terms of the Mozilla license(s) distributors of Mozilla and related software are permitted to add or delete certificates in the versions that they distribute, and are also permitted to modify the values of the "trust bits" on certificates in the default certificate database. As with other Mozilla modifications, by making such changes a distributor may affect its ability to use Mozilla trademarks in connection with its versions of the software; see the Mozilla trademark policy for more information.

Please see the Mozilla Certificate FAQ for more information about this policy and answers to related questions.