[7] Mozilla はルートCA証明書ごとに trust bits として証明書の用途を記述しています >>6。
[10] 「ビット」としては「コード」、「電子メール」、「Webサイト」があるようです。
[11] 証明書ごとに事前に設定されている他、利用者が設定することもできます。
[1] 986005 – Turn off SSL and Code Signing trust bits for VeriSign 1024-bit roots ( 版) <https://bugzilla.mozilla.org/show_bug.cgi?id=986005>
[2] 936105 – Remove or turn off trust bits for Symantec 1024-bit root certs ( 版) <https://bugzilla.mozilla.org/show_bug.cgi?id=936105>
[3] Issue 274472 - chromium - SSL certificate imported via ONC does not maintain trust bits - An open-source project to help move the web forward. - Google Project Hosting ( 版) <https://code.google.com/p/chromium/issues/detail?id=274472>
[4] 986019 – Turn off SSL and Code Signing trust bits for Equifax 1024-bit roots ( 版) <https://bugzilla.mozilla.org/show_bug.cgi?id=986019>
[5] モジラ:ルート証明書へのトラストビット設定について:業界レポート:セキュリティ編 - GMOインターネット株式会社 ( 版) <https://www.gmo.jp/report/security/16/index.php>
[6] CA:IncludedCAs - MozillaWiki ( 版) <https://wiki.mozilla.org/CA:IncludedCAs>
[8] Mozilla CA Certificate Policy — Mozilla ( 版) <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/>
The certificates included by default have their "trust bits" set for various purposes, so that the software in question can use the CA certificates to verify certificates for SSL servers, S/MIME email users, and digitally-signed code objects without having to ask users for further permission or information.
[9] Mozilla CA Certificate Inclusion Policy — Mozilla ( 版) <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/>
We reserve the right to not include a particular CA certificate in our software products. This includes (but is not limited to) cases where we believe that including a CA certificate (or setting its "trust bits" in a particular way) would cause undue risks to users’ security