CA/Application Instructions: Difference between revisions

CA/Application Instructions (view source)

795 bytes added , 11 January 2017

added another note about subCAs

Confirmed users, Administrators

5,526

edits

@@ Line 11: / Line 11: @@
 '''IMPORTANT Items to Note:'''
+* If you control all the domains that use your root certificate, then you probably do not meet the criteria for inclusion in Mozilla's root store. [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's CA Certificate Inclusion Policy] states:  "We will determine which CA certificates are included in software products distributed by Mozilla, based on the benefits and risks of such inclusion to typical users of those products."  With ALL affected domains under your control, your root certificate would not seem to create a benefit for typical Mozilla users, only for users of your services. Perhaps a better alternative would to be a [[CA:SubordinateCAcerts|subordinate CA]] of a CA who is [[CA:IncludedCAs|already included in Mozilla's root store]].
 * Having a root certificate you control included in Mozilla's root store is not a trivial thing, but a significant responsibility. It means that, in the normal case, the world will trust you to correctly issue digital certificates identifying any website. There will be associated costs in maintaining the required security infrastructure and having it audited on a yearly basis.
 * The information listed in [[CA:Information_checklist|CA Information Checklist]] is expected to be publicly available so that it can be reviewed and referenced during the Public Discussion Phase and for future reference.