If you have questions about the process, why not ask Mozilla rather than pulling Kathleen's name out of the ether and pinning it all on her. Kind of a jerk move to not find the exact info you're looking for so you dox a Mozilla employee.

Here is where it's documented:

https://www.mozilla.org/en-US/about/governance/policies/secu...

> Mozilla has appointed a CA Certificate module owner and peers to evaluate new CA requests on our behalf and to make decisions regarding all matters relating to CA certificates included in our root store.

https://wiki.mozilla.org/Modules/Activities?#CA_Certificates

> Further, Mozilla has appointed a Mozilla CA Certificate Policy module owner and peers to maintain this policy. The policy will only be changed after public consultation with the Mozilla community, in order to ensure that all views are taken into account.

https://wiki.mozilla.org/Modules/Activities#Mozilla_CA_Certi...

Ben and Kathleen are either the current module owner, or peer. So there are two people who can have the role, with one making the decision at the time. I imaging there is a process to replace one or both of them, but I'm not really interested in doing the research.

If I do a Google search for "Mozilla CA policy owner", the first result is https://www.mozilla.org/en-US/about/governance/policies/secu...

It would be interesting to know what Google searches you ran, and the results you received.

This is out of my wheelhouse so maybe someone knows better.

But I see in a lot of corporate docker images for Python environments the installation of certifi. Which is billed as “Mozilla’s carefully curated collection of Root Certificates.” But based on this comment “carefully curated” might be inaccurate.

Windows has Group Policy which allows admins to control what CA’s they want to trust. MacOS has Keychain which I’m guessing MDM tools like Jamf can control. On Linux it seems a bit more “Wild West”. For example, there is /etc/ssl/certs. On ubuntu there is another directory and the command “update-ca-certificates” (or something like that). From an SO q+a Golang searches several directories to find root CA’s. I know Java maintains its own store and has a keystore and trust store to manage trusted certs. Python requests library, pip and node package manager also take in a directory path to a file with trusted cacerts either in their config files or an environment variable. So even applications can manage what they trust independent of the OS. Seems like a major oversight and an attack surface ripe for exploitation.

So it seems to me like a standard should be formed and browsers should be out of the business of managing certs. The standard should specify a well known directory cross platform to read certs and perhaps a set of APIs to add certs. Maybe this already exists?

Guess how many people it takes to decide that a root certificate authority (#CA) is accepted into the #Mozilla program, from which all the browsers basically take their root CAs in turn?

It's 1 person. And it's not actually documented anywhere as far as I can tell/find via Google. https://groups.google.com/a/mozilla.org/g/dev-security-polic...

I think we need some transparency here, and maybe more than one person making this decision for everyone.

Also If I'm wrong and Mozilla has documented this somewhere, please, please prove me wrong and post the link as a reply.