Changes

If a CA controls all the domains that use their root certificate, then they probably do not meet the criteria for inclusion in Mozilla's root store. [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's CA Certificate Policy] states: "We will determine which CA certificates are included in software products distributed by Mozilla, 's root program based on the benefits and risks of such inclusion to typical users of those our products." With ALL affected domains under your controlIncluding any CA carries a level of risk that is measured, in part, your root certificate would not seem to create a benefit for typical Mozilla usersby the past record of the CA (or lack thereof), their responsiveness (or lack thereof), only for users and the level of your servicescompetence and precision demonstrated by the CA during the inclusion process. Perhaps In some cases, a better alternative is to be a [[CA/Intermediate_Certificates|subordinate CA]] of a CA who is already [[CA/Included_Certificates|included in Mozilla's root store]]. It is the CAapplicant's responsibility to justify why their root certificate needs to be included in Mozilla's root store and explain how why the inclusion will benefit typical not introduce undue risk for Mozilla users.

Having a root certificate you control included in Mozilla's root store is a significant major ongoing responsibility; it is '''not''' a one-time trivial effort. It means that, in the normal case, the world will trust you to correctly issue digital certificates identifying any websiteand/or email address. There will be associated costs in maintaining the required security infrastructure , keeping up-to-date with evolving technical and having it audited procedural requirements, and conducting audits on a yearly an annual basis. After a CA has a certificate included in Mozilla's root store, it is expected that the CA will continue to be aware of [https://groups.google.com/forum/#!forum/mozilla.dev.security.policy ongoing discussions] and updates to [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's Root Store Policy]. The CA is required to send regular updates to Mozilla via the [http://ccadb.org/ Common CA Database (CCADB)], including annual updates to their policy and audit documentation.