User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:220.127.116.11) Gecko/20060130 SeaMonkey/1.0 Mnenhy/0.7.3.0 Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:18.104.22.168) Gecko/20060130 SeaMonkey/1.0 Mnenhy/0.7.3.0 The "Mozilla CA Certificate Policy" at the cited URL needs to be moved to a mozilla.org or mozilla.com Web page. If this is indeed an official policy of the Mozilla Foundation or Mozilla Corporation, it should no longer be on someone's personal Web site. And the page should be easily found. Reproducible: Always Steps to Reproduce: The issue is trust: trusting the CA root certificates installed in the Certificate Manager. Trust is created by making public how those certificates are approved for installation. For the same reason, a CA's certificate policy and certification practice statement are supposed to be available to the public if the CA is to be successful in passing a WebTrust audit.
-> www.m.o & Taking this bug This affects adding certificates to NSS (which is used by Firefox, Thunderbird, etc.), so this belongs on www.m.o instead of www.m.c I can commit this if someone can suggest an appropriate place and the powers-that-be do not object. Hecker? Your opinions?
Component: www.mozilla.com → www.mozilla.org
Product: Websites → mozilla.org
QA Contact: www-mozilla-com → www-mozilla-org
Version: unspecified → other
I agree that the policy should go on www.mozilla.org, not www.mozilla.com. Perhaps the most logical place would be in the /projects/security/pki/nss/ hierarchy, with a URL of http://www.mozilla.org/projects/security/pki/nss/ca-certificate-policy.html It could then be linked to from an appropriate section of http://www.mozilla.org/projects/security/pki/nss/index.html as well as from any page where we list official Mozilla project policies. I'm on vacation right now and won't have time this week to check this in. I'm happy to have someone else check it in on my behalf. Note that I tried to write the HTML to match the style guidelines for mozilla.org documents, but I may have used outdated information.
Checking in policy.html; /cvsroot/mozilla-org/html/projects/security/pki/nss/ca-certificates/policy.html v <-- policy.html initial revision: 1.1 done I made a ca-certificates directory because I intend to have several files in that directory for bug 333272 (List of CA certificates included in NSS)
Status: ASSIGNED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
I give up! Where is it? This bug report is listed as RESOLVED/FIXED, but I can't find the policy on the www.mozilla.org Web site. I tried a search on the site on the terms "certificate" and "policy", but none of the first 50 results were the policy in question. It's not really important where in the Web site the policy resides. However, it is important that any user who is somewhat experienced in Web security be able to find it even if that person knows nothing about the organization of Mozilla. Thus, a link to the policy should be visible on the site map at <http://www.mozilla.org/sitemap.html>.
I apologize for marking this as resolved so quickly. I forgot about the part of linking to it and sending out a mailing list email to notify that it is there now. It is located at http://www.mozilla.org/projects/security/pki/nss/ca-certificates/policy.html I'll try to add some links to it tonight or tomorrow.
Nicholas: Thanks much for getting this published! In terms of links, here are some possible places to add links: 1. http://www.mozilla.org/projects/security/pki/nss/ I suggest adding a new bulleted list in the "Documentation" section, right after the last bulleted list ("PKCS #11 information for implementors of cryptographic modules"): CA certificates pre-loaded into NSS: * Mozilla CA certificate policy [link to the policy] * List of pre-loaded CA certificates [link to the list, when available] 2. http://www.mozilla.org/security/ ("Security Center") It might make sense to add a mention of the policy in the section "For Developers: Contacting Mozilla", as a list item right *before* the last list item ("We encourage you to learn more ..."): * Mozilla-based products include a default list of CA certificates used when connecting to SSL-enabled servers and in other contexts. If you are a CA and would like your CA certificate(s) considered for inclusion in Mozilla, please see the Mozilla CA certificate policy. The phrase "Mozilla CA certificate policy" would link to the policy, and the phrase "default list of CA certificates" would link to the official list (when it's ready). Note that the Security Center URL is at the bottom of every mozilla.org page, and is also linked to from the site map, so this should be pretty discoverable. 3. http://www.mozilla.org/sitemap.html I'm not sure if it makes sense to directly link from this page or not. If we do link from this page, we could create a whole new "Policies" section, or just link from either the "Developers" section or the "About Mozilla" section.
Checking in mozilla-org/html/security/index.html; /cvsroot/mozilla-org/html/security/index.html,v <-- index.html new revision: 1.54; previous revision: 1.53 done Checking in mozilla-org/html/projects/security/pki/nss/index.html; /cvsroot/mozilla-org/html/projects/security/pki/nss/index.html,v <-- index.html new revision: 1.66; previous revision: 1.65 done Checking in mozilla-org/html/sitemap.html; /cvsroot/mozilla-org/html/sitemap.html,v <-- sitemap.html new revision: 1.16; previous revision: 1.15 done These changes should be made within about 15 minutes when the website rebuilds from cvs.
Status: REOPENED → RESOLVED
Last Resolved: 12 years ago → 12 years ago
Resolution: --- → FIXED
Component: www.mozilla.org → General
Product: Websites → www.mozilla.org
You need to log in before you can comment on or make changes to this bug.