The internet secure communications system requires Certification Authorities (CAs) - parties trusted to attest to the identity of websites. Mozilla products ship a default list of CA certificates, which may change with each security patch or new version of the product. The following pages explain how the default list of CA certificates is managed.
It can take as long as two years for a new CA to make it from one end of the process to the other. If the CA does not provide requested information in a timely manner, then the application will take even longer, or be cancelled.
The overall steps of the CA certificate inclusion process are as follows.
- A representative of the CA submits a request for root inclusion.
- If you would like to see a particular root certificate included in Mozilla products, then please contact the CA who operates that root certificate.
- A representative of the CA provides information about the CA and operation of the root certificate(s).
- A representative of Mozilla verifies the information provided by the CA.
- A representative of Mozilla adds the request to the queue for public discussion.
- Anyone interested in the CA's application participates in discussions of CA requests further up in the queue.
- When the application reaches the head of the queue, a representative of Mozilla starts the public discussion for that particular CA.
- We prefer that at least two independent parties review and comment upon each application.
- A representative of the CA responds to questions and concerns posted during the public discussion of the CA's request.
- A representative of Mozilla summarizes the discussion and resulting action items.
- A representative of the CA completes action items resulting from the public discussion, which may include updating processes, documentation, and audits.
- A representative of Mozilla confirms the completion of the action items and starts a second round of public discussion if needed.
- A representative of Mozilla concludes the public discussion of the CA's request.
- A representative of Mozilla summarizes the request and states the intent to approve the request for inclusion.
- A representative of Mozilla creates a bug requesting the actual changes in NSS (and PSM for EV treatment).
- A representative of the CA confirms that all the data in the NSS bug is correct.
- A representative of Mozilla creates a patch with the new CA certificates and trust bit settings, and provides a special test version of Firefox. Changes to NSS regarding CA certificate applications are usually grouped and done as a batch when there is either a large set of changes or about every 3 months.
- A representative of the CA uses the test version of Firefox to confirm (by adding a comment in the NSS bug) that the correct certificate(s) is included and that the trust bits are correctly set.
- A representative of Mozilla requests that another Mozilla representative review the patch.
- A representative of Mozilla adds (commits) the patch to NSS, then closes the NSS bug as RESOLVED FIXED.
- Mozilla products move to using a version of NSS which contains the certificate changes. This process is mostly under the control of the release drivers for those products. See Mozilla's Release Calendar.
Ways You Can Help
Our most pressing need is help with reviewing and contributing to the public discussions of CA applications. If a CA you care about is in the queue for public discussion, the best way to move it towards inclusion is to quickly and diligently review and contribute to discussions of the applications of CAs ahead of it.