The purpose of the information below is to provide guidance to help make difficult root inclusion decisions more deterministic. This page is intended to be used as a tool for identifying when a CA Operator's root inclusion request should be denied, or when a CA's root certificate should be removed from Mozilla's root store.

Mozilla’s Root Store Policy says:

• “We will determine which CA certificates are included in Mozilla's root store based on the risks of such inclusion to typical users of our products.”
• “We reserve the right to not include certificates from a particular CA operator in our root store. This includes (but is not limited to) cases where we believe that a CA operator has caused undue risks to users’ security, e.g. by knowingly issuing certificates without the knowledge of the entities whose information is referenced in those certificates ('MITM certificates').
• “Mozilla is under no obligation to explain the reasoning behind any inclusion decision.”

Unacceptable Behavior

Mozilla finds the following behavior to be unacceptable for CA operators. Such CA operators will have their root inclusion requests denied, or will have their root certificates removed or set to distrust-after.

• Reasonable suspicion that the CA is closely tied, through ownership or operation, to a company engaged in:
  • the distribution of malware or spyware, or
  • network surveillance, or
  • cyber espionage.
• The CA operator is in a global region that cannot use the CCADB, or is not capable of entering into a contractual agreement with a US-based company.

Concerning Behavior

Mozilla finds the following behavior to be concerning for CA operators, and may in aggregate lead to such CA operators having their root inclusion requests denied, or having the root certificates removed or set to distrust-after.

• The CA’s provided address is a mail drop, rather than an office.
• The CA's auditor has not audited other CAs whose root certificates are already included in Mozilla’s Root store.
• The CA is evasive on matters such as legal domicile and ownership.
• Physical, monetary, or business nexus to a government of a country that
  • has a score less than 50 on the Corruption Perceptions Index
  • has an Internet Freedom Score less than 50
  • Other?
• The CA is associated with a government that has or is forcing end-users to install a government-issued root certificate on their devices, or the government has used certificates issued by the CA to intercept network communications.
• The CA is owned or funded by an individual or government organization that is known to also own or fund a vendor that has provided software being used for network surveillance or cyber espionage.
• The CA uses a shell company, an acquisition, or other misdirection to divert attention away from their relationship with another organization or government.