CA/Quantifying Value

Purpose and Principles

The purpose of this page is to guide new Certification Authority (CA) operators in preparing a Value Statement to accompany their root store inclusion request.

Mozilla’s goal is to determine whether the benefit to Mozilla’s users of including a particular root certificate outweighs the inherent risks of trust delegation. This aligns with Principle 4 of the Mozilla Manifesto:

“Individuals’ security and privacy on the internet are fundamental and must not be treated as optional.”

Mozilla’s Root Store Policy requires that CAs included by default in Mozilla products provide services relevant to and beneficial for Mozilla users. Therefore, your Value Statement must explain, with objective and verifiable evidence, how your CA enhances user security, privacy, and trust.

Submissions that rely on unverifiable marketing claims such as “millions of users” or “trusted nationwide” will not be accepted. Assertions must be supported by data, audit evidence, and credible facts that demonstrate value and legitimacy.

Mozilla evaluates Value Statements according to three main themes:

• User Value and Impact – measurable benefits to Mozilla’s users.
• Compliance Maturity and Risk Management – the CA’s demonstrated ability to operate responsibly and minimize incidents.
• Transparency and Public Accountability – openness in operations, incident handling, and participation in Mozilla’s public compliance ecosystem.

Opaque or government-operated CAs that cannot demonstrate measurable user benefit and transparency will not meet Mozilla’s inclusion expectations.

1. User Value and Impact

Policy Rationale

Mozilla prioritizes inclusion of CAs that provide direct and measurable benefits to users of Mozilla products such as Firefox and Thunderbird. The goal is not market share, but tangible improvements in user security, privacy, accessibility, and trust.

Guidance

Provide quantitative data—such as the number of active certificates, user communities served, and measurable improvements in security or privacy outcomes. Describe how your CA’s inclusion benefits Mozilla users specifically, not just governments, enterprises, or the general PKI ecosystem.

Questions to Address

• What specific communities or regions does your CA serve? (e.g., under-represented languages, educational or nonprofit sectors, local businesses)
• How many certificates currently in use serve Mozilla users directly (e.g., TLS certificates for Firefox users, S/MIME certificates for Thunderbird users)?
• How does your CA’s presence improve user security or privacy (e.g., faster revocation handling, DNSSEC adoption, improved domain validation)?
• How does your CA align with Mozilla’s mission to make the internet open, accessible, and secure for everyone?
• What measurable outcomes demonstrate your CA’s impact (e.g., incident-free issuance rate, percentage of automated issuance, reduction in mis-issuance events)?
• How does your CA’s inclusion provide a return on Mozilla’s investment in oversight (e.g., reduced need for manual review, consistent audit quality)?

2. Compliance Maturity and Risk Management

Policy Rationale

Mozilla’s trust decisions depend on each CA’s proven ability to maintain secure, reliable, and compliant operations. Demonstrating compliance maturity shows that your CA can be trusted to minimize risk and respond effectively to incidents.

Guidance

Explain the design, governance, and continuous improvement of your compliance program. Include evidence such as incident rates, automation levels, staff qualifications, and independent audits. Vague assurances of compliance are insufficient—your answers should demonstrate operational depth and accountability.

Questions to Address

Commitment and Resourcing

• Who are the applicant’s beneficial owners, and what is their long-term commitment to operating a compliant CA?
• What investments have been made in CA infrastructure, staffing, and compliance functions?
• What portion of your organization’s resources are allocated to compliance and risk management?
• How is your compliance budget determined, and how do you ensure it remains adequate as operations evolve?

Personnel and Expertise

• Who within your organization tracks updates to CA/Browser Forum, IETF, or audit-related standards?
• How are personnel trained and kept current on changing industry requirements?
• What relevant experience and technical qualifications do key compliance and PKI staff possess?
• How has your CA reviewed and learned from past incidents reported in Bugzilla or other forums, and how were lessons integrated into operations?

Operational Design for Compliance

• How are systems architected to ensure compliance with the Baseline Requirements and Mozilla Root Store Policy?
• What automated mechanisms (e.g., pre-issuance linting, CAA checking, multi-perspective domain validation) reduce operational risk?
• How are processes documented and enforced programmatically?
• How is agility maintained so that systems can be updated quickly when security or compliance requirements change?
• What performance metrics or KPIs do you use to monitor compliance effectiveness?

Compliance Program and Third-Party Oversight

• What formal compliance or risk management framework does your organization follow (e.g., ISO 27001, NIST 800-53, WebTrust/ETSI criteria)?
• How long has the program been operational, and how is it reviewed or improved over time?
• What independent assessments or audits have been conducted? Who performed them, and what are the auditor’s qualifications?
• How are identified deficiencies documented, tracked, and remediated?
• How does management ensure “tone at the top” for compliance culture and accountability?

3. Transparency and Public Accountability

Policy Rationale

Trust in the web PKI ecosystem depends on transparency. Mozilla expects CAs to operate openly—sharing information about compliance, participating in public review processes, and responding constructively to feedback.

Guidance

Provide examples of your CA’s public engagement, such as participation in Bugzilla incident threads, CCADB updates, or industry working groups. Describe your processes for disclosure, communication, and corrective action. Applicants that maintain open, timely communication demonstrate greater reliability.

Questions to Address

• How has your CA participated in Mozilla’s public compliance ecosystem (e.g., Bugzilla discussions, incident reporting, or CCADB submissions)?
• What internal procedures ensure timely public disclosure of incidents and follow-up actions?
• How does your organization communicate and cooperate with Mozilla or other root programs during incident handling?
• What public resources (e.g., repository, transparency reports, mailing list participation) reflect your CA’s accountability?
• What steps have you taken to promote openness, standardization, or community improvements in PKI operations?

4. Summary and Expectations

A strong Value Statement should:

• Demonstrate direct benefit to Mozilla users through quantitative and verifiable evidence.
• Establish compliance maturity by describing structured, well-resourced, and independently reviewed practices.
• Show transparency and accountability through public engagement, open incident reporting, and continuous improvement.

Submissions that are purely promotional or that lack measurable, user-focused evidence will be downgraded. Mozilla values trustworthiness, openness, and clear benefit to users above all other factors.

5. Examples of Strong vs. Weak Responses

The following examples illustrate how CAs can strengthen their Value Statements. Responses should focus on measurable data, Mozilla-user relevance, and demonstrable transparency, rather than general marketing claims or compliance slogans.

User Value and Impact

Strong: “Issued approximately 220,000 TLS certificates currently observed in use by Firefox users in South America and sub-Saharan Africa. We provide OCSP and CRL endpoints with 99.98% uptime and maintain full IPv6 and DNSSEC support to enhance end-user reliability.” Weak: “We are trusted by millions of users across the country and are compliant with eIDAS and ISO standards.”

Compliance Maturity and Risk Management

Strong: “Our automated pre-issuance linting prevents 99.7% of potential misissuance events. We have maintained an incident rate of less than 0.3% since 2022 and conduct quarterly internal control reviews aligned with WebTrust and ETSI criteria.” Weak: “We follow all CAB Forum and WebTrust requirements and maintain full compliance at all times.”

Personnel and Expertise

Strong: “Our compliance team of six staff includes two former WebTrust auditors and a CAB Forum working group participant. All staff complete annual PKI and information security training. Lessons learned from Bugzilla incidents are reviewed quarterly to inform process updates.” Weak: “Our team is highly skilled and continuously monitors compliance developments.”

Transparency and Public Accountability

Strong: “We have reported and discussed three compliance incidents in Bugzilla since 2023, provided public updates within 24 hours of discovery, and published post-incident reviews on our transparency page.” Weak: “We disclose incidents to auditors and regulators as required and keep Mozilla informed as needed.”

Mozilla-User Alignment

Strong: “Our inclusion supports Firefox users in regions where no other publicly trusted CA provides local-language validation and low-cost S/MIME services. This directly enhances accessibility and privacy for small organizations and NGOs using Mozilla products.” Weak: “Our services are essential to national e-government programs and are trusted by enterprises and citizens alike.”

The section above is intended as illustrative guidance only. It does not prescribe specific thresholds or metrics but highlights the qualities of complete, verifiable, and user-focused Value Statements.