This page provides guidance to help make difficult root inclusion decisions more deterministic. This page is intended to be used as a tool for identifying when a CA Operator's root inclusion request should be denied, or when a CA's root certificate should be removed from Mozilla's root store.

Mozilla’s Root Store Policy says:

• We will determine which CA certificates are included in Mozilla's root store based on the risks of such inclusion to typical users of our products.
• We reserve the right to not include certificates from a particular CA operator in our root store. This includes (but is not limited to) cases where we believe that a CA operator has caused undue risks to users’ security, e.g. by knowingly issuing certificates without the knowledge of the entities whose information is referenced in those certificates ('MITM certificates').
• Mozilla is under no obligation to explain the reasoning behind any inclusion decision.

When concerns are raised about a CA operator that currently has root certificates included in Mozilla's root store, Mozilla will take the steps described here: https://wiki.mozilla.org/CA/Maintenance_and_Enforcement#Potential_Problems.2C_Prevention.2C_Response

Unacceptable Behavior

For the following circumstances, Mozilla should deny the CA operator's root inclusion request. If the CA operator currently has root certificates in Mozilla's root store, then Mozilla should remove those root certificates or set them to be distrusted after a specified date.

• There is Reasonable suspicion that the CA is closely tied, through ownership or operation, to a company engaged in any of the following:
  • the distribution of malware or spyware;
  • network surveillance that collects information about a person or organization and sends it to another entity in a way that endangers the privacy or device security of the person or organization; or
  • cyber espionage that aims to obtain information from a person or organization without the knowledge or permission of the person or organization for personal, economic, political or military advantage.
• The CA operator is in a global region that cannot use the CCADB, or is not capable of entering into a contractual agreement with a US-based company.
• The CA operator appears to have:
  • Deliberately violated Mozilla's Root Store Policy or other applicable policy; or
  • Lied, concealed, or failed to disclose the full extent of a problem.
• The CA operator has:
  • Repeated incidents of certificate mis-issuance that the CA operator previously claimed to have resolved;
  • Failed to identify and remediate the root cause of their incident of certificate mis-issuance; or
  • Demonstrated insufficient quality or competence in their CA’s operations by frequently mis-issuing certificates, especially when such mis-issuance would be prevented by pre-issuance lint testing.

Mozilla may deny a root inclusion request for reasons or behaviors not listed on this page.

Concerning Behavior

The following situations are concerning and in aggregate may lead to Mozilla denying the CA operator's root inclusion request. If the CA operator currently has root certificates in Mozilla's root store, then Mozilla may remove those root certificates or set them to be distrusted after a specified date.

• The CA’s provided address is a P.O. box, mail drop, or an address shared with numerous other companies/entities. (e.g. shell corporate registry)
• The CA's auditor has not audited other CAs whose root certificates are already included in Mozilla’s Root store.
• The CA's representatives are evasive on matters such as legal domicile and ownership.
• The CA has physical, monetary, or business nexus to a government of a country that
  • has an Internet Freedom Score less than 50; or
  • has a score less than 50 on the Corruption Perceptions Index
• The CA is associated with a government that has or is forcing end-users to install a government-issued root certificate on their devices, or the government has used certificates issued by the CA to intercept network communications.
• The CA is owned or funded by an individual or government organization that is known to also own or fund a vendor that has provided software being used for network surveillance or cyber espionage.
• The CA uses a shell company, an acquisition, or other misdirection to divert attention away from their relationship with another organization or government.

Warning Signs

Warning signs for CA operators who have requested inclusion of their root certificates in Mozilla’s Root Store include but are not limited to the following. CA operators exhibiting these warning signs will have to either improve their operations and demonstrate their ability to maintain the higher level of operations, or their root inclusion request will be denied.

The CA:

• Has Certificate Change Prioritization score of P4 or P5.
• Is not a voting member, associate member, or interested party participating in the CA/Browser Forum (CABF) Server Certificate Working Group (when applying for the Websites trust bit) or the CABF S/MIME Certificate Working Group (when applying for the Email trust bit).
• Is a Super-CA that signs the certificates of subordinate CAs to only show that they have been accredited or licensed by the signing CA (i.e. the super-CA does not guarantee that their subCAs comply with the BRs and Mozilla’s root store policy.
• Has audit statements from an auditor whose auditor qualifications are insufficient or do not pass the verification checks for WebTrust auditors or ETSI auditors.
• Has gaps between audit periods.
• Does not fully comply with the CABF Baseline Requirements that are relevant to the trust bits they are applying for.
• Does not fully comply with Mozilla’s Root Store Policy or
  • https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Required_Practices.
• Does any of the activities listed in https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Forbidden_Practices