According to the Mozilla website, “when distributing binary and source code versions of Firefox, Thunderbird, and other Mozilla-related software product, Mozilla may include with such software a default set of X.509v3 certificates for various CAs.”
Mozilla explains that the certificates that will be included by default have their “trust bits” configured for specific purposes to accelerate the process.
Now, the software will be able to use the CA certificates to verify certificates for SSL servers, S/MIME email users, and digitally-signed code objects without having to constantly ask users for more permission or information.
The policy consists of three sections. The first section addresses applying for inclusion of root certificates in Mozilla products.
This section includes considerations that are taken into account such as the CA’s publicly available documentation about their policies, and audits of the CA’s operations in support of the documented policies.
The next section, maintaining confidence in included root certificates, includes regular auditing of the CA’s policies and practices, conforming to current CA industry standards and recommended best practices, and making changes to included root certificates.
Finally, the last section deals with the steps that Mozilla may take in enforcing its CA certificate policy. This includes the evaluation of security concerns, as well as removing or disabling a root certificate.
Mozilla points out that its CA certificate policy applies only to software products distributed by the Mozilla Foundation and its subsidiaries, and that other entities distributing such software have the freedom to adopt their own policies.
As a result, Mozilla license distributors of such software are able to add or delete CA certificates in the versions that they distribute, and can also modify the values of the “trust bits” on CA certificates in the default CA certificate set.
Mozilla also encourages anyone to email the organization at firstname.lastname@example.org if they need more information about the policy.
Talk back: What do you think of Mozilla’s newly updated CA policy? Are you currently offering SSL certificates to your customers? Do you think the updated policy will affect your own hosting business? Let us know in a comment.