Mozilla Foundation (MF) has moved further forward in its debate on CA policy. In essence, the policy states that MF will distribute CA's root keys where the CA has implemented sufficient controls, in the view of MF, and doing so would serve the users of Mozilla. Point 4 of the policy pertains:
4. The Mozilla Foundation will consider adding certificates for additional CAs to the default Mozilla certificate set upon request. The Mozilla Foundation requires that all such CAs:
- provide some service relevant to typical Mozilla users;
- publish information about the CA and its policies and procedures; and
- provide CA certificate data in a form suitable for inclusion in Mozilla.
The process is still in draft, but is encouraging. They are leaving a way open for smaller, more focused CAs to get in to the game, without having to go through some committee idea of safety and security (such as an audit or other pure blooded means). Several CAs are champing at the bit to get in, presumably because they've already found out how hard it is to get accepted by other browser publishers.
Frank Hecker has writen a core policy proposal, supported by implementation details and a meta-policy:
http://www.hecker.org/mozilla/ca-certificate-policy
http://www.hecker.org/mozilla/ca-certificate-faq/policy-details/
http://www.hecker.org/mozilla/ca-certificate-metapolicy/