Information checklist for CAs applying for inclusion in Mozilla
In order to support cryptographic applications such as SSL/TLS connections to web and other servers, and signed and encrypted email, Firefox and other Mozilla-based products contain digital certificates and related metadata for multiple Certification Authorities (CAs). By including the CA certificates and various associated pre-set metadata values Mozilla-based products can recognize as valid the end entity certificates that are issued under the auspices of the CAs in question and are associated with, e.g., web servers, and email senders.
CAs wishing to have their certificates included in Mozilla products must comply with the requirements of the Mozilla Root Store Policy and must supply the information necessary to determine whether or not the policy’s requirements have been satisfied. The information must be provided in a Mozilla Bugzilla bug as described in Mozilla's Application Process Overview. This information includes (but is not necessarily limited to) the information listed in this page.
The information provided by the CA will be verified by a representative of Mozilla to the maximum extent practicable using CAs’ published documentation. Statements attributed to third parties (e.g., auditors) shall be verified with those parties. The information gathered should be published through the appropriate Mozilla channels (e.g., web sites, bug reports, and/or discussion forums).
Example and Template
The template and example below show the information that the CA must provide for a root inclusion/update request.
- Template (Google Doc)
- Example -- an Example Root Inclusion Case in CCADB
- Note that the certificate data will be extracted directly from the PEM of the certificate, so the CA should attach the PEM of the root certificate to the Bugzilla bug, or provide a link to the certificate on their website.
Mozilla's process is public-facing, so all information that will be taken under consideration during the root inclusion request must be publicly available and provided by the CA via the Bugzilla bug report.
CA Primary Point of Contact (POC)
In addition to the information listed in the template and example above, CA's must provide the contact information for at least one person filling the role of Primary Point of Contact (POC), and may use a contractor as one of the POCs. The CA must have one or more people within the CA’s organization who jointly have authority to speak on behalf of the CA, and to direct whatever changes the review process or Mozilla’s CA Communications require. At least one of the CA’s POCs should also be in a position to make commitments for the CA and be held accountable by the CA.
The POCs will:
- Provide annual updates of CP/CPS documents, audit statements, and test websites.
- Respond to CA Communications
- Input and maintain the CA’s data in the Common CA Database (CCADB)
- Inform Mozilla when there is a change in the organization, ownership, CA policies, or in the POCs that Mozilla should be aware of, as per
- Provide Mozilla with updated contact information if a new person becomes a POC.
Required contact information:
- Direct E-mail address, full name (first and last name), and phone number to a specific individual within the CA (must be one of the POCs).
- CA Email Alias: An email alias is being requested so that more than one person in your organization will receive notifications in case the primary contact is out of the office or leaves the organization. Mozilla CA Communications will be sent to both the POC direct email address(es) and the email alias.
- CA Phone Number: A main phone number from which Mozilla can reach the organization responsible for root certificates for the CA.
- Title / Department: If Mozilla needed to call your main phone number, what Title/Department should the Mozilla representative ask for?
If the CA uses a contractor as an additional POC, then someone at the CA must be CC’d on the root inclusion Bugzilla bug, CA Communications, and the CA’s responses to CA Communications.
- An individual within the CA must also get a Bugzilla account and comment in the bug to say that they will be a POC for the CA, and that the contractor has indeed been hired by the CA to act as one of the POCs.
To ensure that the POC(s) has the authority to perform the tasks listed above, a representative of Mozilla will do the following.
- Use the CA’s website, to confirm that the domain in the email address of at least one of the POCs is owned by the CA (e.g. @CAname.com).
- Use the CA’s website to contact a person at the CA to confirm that at least one of the POCs that have been provided does indeed have the authority to perform the responsibilities listed above on behalf of the CA.
- If a contractor is also used as a POC, then contact the POC that was previously verified to confirm that the CA has indeed enlisted the help of the contractor.