Officially Publish Certificate Authority Policy on Web Site


12 years ago
6 years ago


(Reporter: David E. Ross, Assigned: Nick Bebout)


Firefox Tracking Flags

(Not tracked)





12 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Win98; en-US; rv: Gecko/20060130 SeaMonkey/1.0 Mnenhy/
Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv: Gecko/20060130 SeaMonkey/1.0 Mnenhy/

The "Mozilla CA Certificate Policy" at the cited URL needs to be moved to a or Web page.  If this is indeed an official policy of the Mozilla Foundation or Mozilla Corporation, it should no longer be on someone's personal Web site.  And the page should be easily found.  

Reproducible: Always

Steps to Reproduce:

The issue is trust: trusting the CA root certificates installed in the Certificate Manager.  Trust is created by making public how those certificates are approved for installation.  For the same reason, a CA's certificate policy and certification practice statement are supposed to be available to the public if the CA is to be successful in passing a WebTrust audit.

Comment 1

12 years ago
-> www.m.o & Taking this bug

This affects adding certificates to NSS (which is used by Firefox, Thunderbird, etc.), so this belongs on www.m.o instead of www.m.c

I can commit this if someone can suggest an appropriate place and the powers-that-be do not object.

Hecker? Your opinions?
Component: →
Product: Websites →
QA Contact: www-mozilla-com → www-mozilla-org
Version: unspecified → other


12 years ago
Assignee: nobody → nb


12 years ago

Comment 2

12 years ago
I agree that the policy should go on, not Perhaps the most logical place would be in the /projects/security/pki/nss/ hierarchy, with a URL of

It could then be linked to from an appropriate section of

as well as from any page where we list official Mozilla project policies.

I'm on vacation right now and won't have time this week to check this in. I'm happy to have someone else check it in on my behalf. Note that I tried to write the HTML to match the style guidelines for documents, but I may have used outdated information.

Comment 3

12 years ago
Checking in policy.html;
v  <--  policy.html
initial revision: 1.1

I made a ca-certificates directory because I intend to have several files in that directory for bug 333272 (List of CA certificates included in NSS)
Last Resolved: 12 years ago
Resolution: --- → FIXED

Comment 4

12 years ago
I give up!  Where is it?  This bug report is listed as RESOLVED/FIXED, but I can't find the policy on the Web site.  I tried a search on the site on the terms "certificate" and "policy", but none of the first 50 results were the policy in question.  

It's not really important where in the Web site the policy resides.  However, it is important that any user who is somewhat experienced in Web security be able to find it even if that person knows nothing about the organization of Mozilla.  Thus, a link to the policy should be visible on the site map at <>.  

Comment 5

12 years ago
I apologize for marking this as resolved so quickly.  I forgot about the part of linking to it and sending out a mailing list email to notify that it is there now.  It is located at

I'll try to add some links to it tonight or tomorrow.
Resolution: FIXED → ---

Comment 6

12 years ago
Nicholas: Thanks much for getting this published! In terms of links, here are some possible places to add links:


I suggest adding a new bulleted list in the "Documentation" section, right after the last bulleted list ("PKCS #11 information for implementors of cryptographic modules"):

  CA certificates pre-loaded into NSS:

  * Mozilla CA certificate policy [link to the policy]
  * List of pre-loaded CA certificates [link to the list, when available]

2. ("Security Center")

It might make sense to add a mention of the policy in the section "For Developers: Contacting Mozilla", as a list item right *before* the last list item ("We encourage you to learn more ..."):

  * Mozilla-based products include a default list of CA certificates
    used when connecting to SSL-enabled servers and in other contexts. If you
    are a CA and would like your CA certificate(s) considered for inclusion
    in Mozilla, please see the Mozilla CA certificate policy.

The phrase "Mozilla CA certificate policy" would link to the policy, and the phrase "default list of CA certificates" would link to the official list (when it's ready).

Note that the Security Center URL is at the bottom of every page, and is also linked to from the site map, so this should be pretty discoverable.


I'm not sure if it makes sense to directly link from this page or not. If we do link from this page, we could create a whole new "Policies" section, or just link from either the "Developers" section or the "About Mozilla" section.

Comment 7

12 years ago
Checking in mozilla-org/html/security/index.html;
/cvsroot/mozilla-org/html/security/index.html,v  <--  index.html
new revision: 1.54; previous revision: 1.53

Checking in mozilla-org/html/projects/security/pki/nss/index.html;
/cvsroot/mozilla-org/html/projects/security/pki/nss/index.html,v  <--  index.html
new revision: 1.66; previous revision: 1.65

Checking in mozilla-org/html/sitemap.html;
/cvsroot/mozilla-org/html/sitemap.html,v  <--  sitemap.html
new revision: 1.16; previous revision: 1.15

These changes should be made within about 15 minutes when the website rebuilds from cvs.
Last Resolved: 12 years ago12 years ago
Resolution: --- → FIXED


12 years ago
Product: → Websites
Component: → General
Product: Websites →
You need to log in before you can comment on or make changes to this bug.