Confirm, administrator
5,526
edits
Changes
added clarifications
The decisions Mozilla makes with regards to the inclusion or exclusion of CA certificates in its root store are directly tied to the capabilities and behaviours of the software Mozilla distributes. Sometimes, a security change is made wholly or partly in the software instead of the root store. Further, Mozilla does not promise to take into account the needs of other users of its root store when making such decisions.
Therefore, anyone considering bundling Mozilla's root store with other software needs to be aware of the issues surrounding providing a root store, and committed to making sure that they maintain security for their users by carefully observing Mozilla's actions and taking appropriate steps of their own. On a best-efforts basis, Mozilla maintains [[CA/Additional_Trust_Changes|a list]] of the additional things ]] users of our store might need to consider.
For additional context see the [https://groups.google.com/d/msg/mozilla.dev.security.policy/FYIBEF_AVMI/2KYQrWirsiQJ discussion in mozilla.dev.security policy].
'''Important''': Consumers of this root store must consider the trust bit settings for each included root certificate.
* '''Root Store Data and usage terms are available via links in the [[CA/Included_Certificates|Mozilla Included CA Certificates]]wiki page.'''* Previously people extracted the data from certdata.txt:** [https://www.imperialviolet.org/2012/01/30/mozillaroots.html Why Trust Bits Matter]** [https://github.com/agl/extract-nss-root-certs Extracting roots and their trust bits]
=== How do I import a root cert into NSS on our organization's internal servers? ===
