This page provides guidance to help make difficult root inclusion decisions more deterministic. This page is intended to be used as a tool for identifying when a CA Operator's root inclusion request should be denied, or when a CA's root certificate should be removed from Mozilla's root store.

Mozilla’s Root Store Policy says:

• “We will determine which CA certificates are included in Mozilla's root store based on the risks of such inclusion to typical users of our products.”
• “We reserve the right to not include certificates from a particular CA operator in our root store. This includes (but is not limited to) cases where we believe that a CA operator has caused undue risks to users’ security, e.g. by knowingly issuing certificates without the knowledge of the entities whose information is referenced in those certificates ('MITM certificates').
• “Mozilla is under no obligation to explain the reasoning behind any inclusion decision.”

When concerns are raised about a CA operator that currently has root certificates included in Mozilla's root store, Mozilla will take the steps described here: https://wiki.mozilla.org/CA/Maintenance_and_Enforcement#Potential_Problems.2C_Prevention.2C_Response

Unacceptable Behavior

Mozilla finds the following behavior to be unacceptable for CA operators. Such CA operators will have their root inclusion requests denied, or will have their root certificates removed or set to distrust-after.

• Reasonable suspicion that the CA is closely tied, through ownership or operation, to a company engaged in:
  • the distribution of malware or spyware, or
  • network surveillance, or
  • cyber espionage.
• The CA operator is in a global region that cannot use the CCADB, or is not capable of entering into a contractual agreement with a US-based company.
• The CA operator has
  • Mis-issued a large or unknown number of end-entity or intermediate certificates that they are not able to enumerate.
  • Deliberately violated Mozilla's Root Store Policy or other applicable policy
  • Lied, concealed, or failed to disclose the full extent of a problem

Concerning Behavior

Mozilla finds the following behavior to be concerning for CA operators, and may in aggregate lead to such CA operators having their root inclusion requests denied, or having the root certificates removed or set to distrust-after.

• The CA’s provided address is a mail drop, rather than an office.
• The CA's auditor has not audited other CAs whose root certificates are already included in Mozilla’s Root store.
• The CA is evasive on matters such as legal domicile and ownership.
• Physical, monetary, or business nexus to a government of a country that
  • has a score less than 50 on the Corruption Perceptions Index
  • has an Internet Freedom Score less than 50
  • Other?
• The CA is associated with a government that has or is forcing end-users to install a government-issued root certificate on their devices, or the government has used certificates issued by the CA to intercept network communications.
• The CA is owned or funded by an individual or government organization that is known to also own or fund a vendor that has provided software being used for network surveillance or cyber espionage.
• The CA uses a shell company, an acquisition, or other misdirection to divert attention away from their relationship with another organization or government.

Warning Signs

Obvious warning signs for CAs who have requested inclusion of their root certificates in Mozilla’s Root Store include but are not limited to the following. CAs exhibiting these warning signs will have to either improve their operations and demonstrate their ability to maintain the higher level of operations, or their root inclusion request will be denied.

The CA:

• Has Certificate Change Prioritization score of P4 or P5.
• Is not a member of the CA/Browser Forum (CABF) Server Certificate Working Group (when applying for the Websites trust bit) or the CABF S/MIME Certificate Working Group (when applying for the Email trust bit).
• Is a Super-CA that signs the certificates of subordinate CAs to only show that they have been accredited or licensed by the signing CA (i.e. the super-CA does not guarantee that their subCAs comply with the BRs and Mozilla’s root store policy.
• Has audit statements from an auditor whose auditor qualifications are insufficient or do not pass the verification checks for WebTrust auditors or ETSI auditors.
• Has gaps between audit periods.
• Does not fully comply with the CABF Baseline Requirements that are relevant to the trust bits they are applying for.
• Does not fully comply with Mozilla’s Root Store Policy or
  • https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Required_Practices.
• Does any of the activities listed in https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Forbidden_Practices