Confirm, administrator
5,526
edits
Changes
→Suggestions about what to do about Government CAs
*** Is inclusion in Mozilla's CA Certificate program an indicator that the CA is not evil?
*** What is out-of-scope; e.g. what are unreasonable assumptions for people to make about CAs in Mozilla's program.
*** Cannot protect anyone from governments using their power on their citizens, whether it is a government-owned CA or not.
** This has been requested in regards to specific roots, such as CNNIC: Have Firefox provide a warning when the CNNIC ROOT CA is used to authenticate web sites outside the jurisdiction of the Chinese government.
** {{bug|555701}}
== What Inclusion of a CA in Mozilla's Program Means ==
What statements can be made about CAs in Mozilla's program?
* Certificates are used in three primary functions within Mozilla and related software:
** When a user connects to an SSL-enabled web server or other SSL-enabled servers.
** When a user reads digitally signed email from another user.
** When a user downloads and executes digitally signed code.
* A Certification Authority (CA) is an entity that digitally signs other entities' certificates. By signing the data in certificates CAs are vouching for the information contained in the certificate.
** A certificate used for a secure web server contains the domain name used to connect to the web server, and by signing such a certificate a CA is vouching for the fact that the entity operating the web server (the entity that controls the server's private key corresponding to the public key in the certificate) actually controls the domain name associated with the server.
** A certificate used for secure email contains the email address of the person or organization that controls the corresponding email account, and by signing such a certificate a CA is vouching for the fact that the entity owns or controls the email address contained within the certificate.
** A certificate used for to sign code should contain the name of the developer or distributor of the code, and by signing such a certificate a CA is vouching for the fact that the entity referenced in the certificate is the entity that requested the certificate.
* A CA is considered to be non-compliant with Mozilla's CA Certificate Policy if the CA
** knowingly issue certificates without the knowledge of the entities whose information is referenced in the certificates; or
** knowingly issue certificates that appear to be intended for fraudulent use.
* Mozilla will consider removing a root certificate from NSS if
** The CA is issuing certificates in a manner that is non-compliant with Mozilla's CA Certificate Policy.
** The CA is issuing certificates that are being used in MitM attacks.
* SSL makes tampering visible to its victims. The certificate has to actually make it to the users client application before the user can decide to trust it.
