Accountapprovers, antispam, confirm, emeritus
4,925
edits
Changes
First version, including CNNIC
The Mozilla Root Program's official repository of the roots it trusts is [https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt certdata.txt]. Some information about the level of trust in each root is included in that file - for example, whether it's trusted for server SSL, S/MIME or both, and whether it's an EV root. However, not all restrictions recommended by Mozilla on the roots can be or are encoded in certdata.txt. Some are implemented at the NSS level, or in Firefox and Thunderbird.
Sometimes, other companies and organizations decide to use Mozilla's root store in their products. As the [[CA:FAQ#Can_I_use_Mozilla.27s_set_of_CA_certificates.3F|CA FAQ]] notes, Mozilla does not promise to take into account the needs of other users of its root store when making decisions. However, for the benefit of such users and on a best-efforts basis, this page documents the additional restrictions that Mozilla recommends.
==CNNIC==
Mozilla [https://blog.mozilla.org/security/files/2015/04/CNNIC-MCS.pdf recommends] not trusting any certificates issued by this CA after 1st April 2015. We have a [https://dxr.mozilla.org/mozilla-central/source/security/certverifier/CNNICHashWhitelist.inc whitelist of older certificates], and tools to generate it. The code implementing this restriction is [https://dxr.mozilla.org/mozilla-central/source/security/certverifier/NSSCertDBTrustDomain.cpp#753 in NSS].
Sometimes, other companies and organizations decide to use Mozilla's root store in their products. As the [[CA:FAQ#Can_I_use_Mozilla.27s_set_of_CA_certificates.3F|CA FAQ]] notes, Mozilla does not promise to take into account the needs of other users of its root store when making decisions. However, for the benefit of such users and on a best-efforts basis, this page documents the additional restrictions that Mozilla recommends.
==CNNIC==
Mozilla [https://blog.mozilla.org/security/files/2015/04/CNNIC-MCS.pdf recommends] not trusting any certificates issued by this CA after 1st April 2015. We have a [https://dxr.mozilla.org/mozilla-central/source/security/certverifier/CNNICHashWhitelist.inc whitelist of older certificates], and tools to generate it. The code implementing this restriction is [https://dxr.mozilla.org/mozilla-central/source/security/certverifier/NSSCertDBTrustDomain.cpp#753 in NSS].
