CA/Mass Revocation Events

The following is guidance to assist CA operators in complying with Section 6.1.3 of the Mozilla Root Store Policy

(Mass Revocation Planning for TLS Certificates).

Implementation Timeline and Deadlines

All CA operators with CAs capable of issuing TLS Server Certificates MUST have a comprehensive Mass Revocation Plan in place no later than September 1, 2025.

This means that the plan must be fully documented and ready for use—not just in draft or under development—by that date. CA operators are encouraged to begin development and internal review of their plans well in advance to ensure sufficient time for testing and any necessary improvements.

Important Note on Audit Timing: If a CA Operator finalizes its plan shortly before the deadline (e.g., on August 30, 2025), and its regular audit cycle begins June 1, 2025, the CA operator may only have a nine-month window to test and improve the plan (e.g. by June 1, 2026) when it must have its plan assessed (within the following 3 months / 90 days) and reported on.

To avoid unnecessary compression of timelines and to allow for meaningful testing and iteration, CA operators are strongly advised to implement their Mass Revocation Plans well before the September 1, 2025, deadline. CA operators will be expected to demonstrate that the assessment has been completed within three months following the end of their regular annual audit period, and annually thereafter unless notified otherwise.

Independent Assessment of the Mass Revocation Plan

A licensed auditor or Conformity Assessment Body (CAB) is not required to perform the evaluation of a CA operator’s Mass Revocation Incident Preparation and Testing Plan ("Plan"). However, the CA operator MUST engage an independent third-party assessor to conduct a thorough review. The assessor should evaluate whether the CA operator has:

• Comprehensive and Actionable Plans – Well-documented procedures that enable the CA to effectively manage mass revocation events.
• Demonstrated Implementation and Feasibility – Evidence of successful testing exercises, including detailed documentation of test processes, timelines, results, and any remediation steps taken.
• Continuous Improvement – A structured approach for incorporating feedback from testing exercises and other evaluations to enhance preparedness and optimize future performance.

The assessment may be conducted by a knowledgeable individual, or an organization, with experience in such things as CA operations, policy compliance, disaster recovery, business continuity, certificate revocation, and certificate replacement. Ideally, the reviewer should have familiarity with ETSI or WebTrust frameworks. To ensure objectivity, the assessor must be sufficiently independent from the operations of the CA (organizationally independent) and capable of delivering a thorough and unbiased evaluation.

Reporting

It is strongly recommended that assessment results be included as part of the CA operator’s regular audit, using its audit reporting cadence, under the ETSI/ACAB’c or WebTrust audit framework. Reporting must include:

• Confirmation that the assessment or review was conducted
• A summary of the scope and methodology used
• Key findings, including whether the plan is documented, feasible, and regularly tested
• Recommendations or remediation items, if applicable
• A statement of overall plan sufficiency, testing, and plan improvement
• Any other information necessary to provide Mozilla with clear insight into the CA operator's mass-revocation readiness

A report summarizing this information is expected to be submitted on an annual basis, until Mozilla indicates otherwise. Mozilla reserves the right to request a copy of the report at any time.

Certification Practice Statement (CPS) Disclosure

It is also recommended that the CA operator include a statement in its Certification Practice Statement (CPS) (e.g. in Section 4.9 or Section 5.7). It can combine its mass revocation planning program with its annual business continuity and disaster recovery planning and testing. The CPS should affirm that the CA operator "maintains a comprehensive and actionable plan for mass revocation events, performs annual testing of its procedures, and incorporates lessons learned to improve preparedness over time." By including a statement about the CA operator’s mass revocation planning program in its CPS, the program can be formally included within the scope of the CA’s WebTrust or ETSI audit, making it easier for auditors/CABs to assess the program as part of the CA’s WebTrust or ETSI annual audits.

Plan Communication and Awareness

CA operators should communicate the Mass Revocation Incident Preparation and Testing Plan—and any related expectations or updates—to all personnel in trusted roles, both during onboarding and annually thereafter. This will ensure that such personnel remain familiar with their responsibilities and are prepared to execute the plan during a mass revocation incident.

Required Plan Elements

Here is a list of "Required Plan Elements" that a Mass Revocation Plan should address:

• Activation Criteria - clearly define the conditions under which the Plan is triggered
• Customer Contact Information – specify how contact information is stored and kept up to date
• Automation Points – identify which tasks are automated (or can be automated) and which require manual action
• Targets and Timelines - each phase should have targets and timelines (for triage, revocation initiation, certificate replacement, and updating the Plan
• Subscriber Notification Methods - clearly describe mechanisms (e.g. email, system dashboards, automation tooling) for reaching impacted subscribers
• Role Assignments - clearly identify roles and responsibilities for those who initiate and execute the Plan
• Training and Education - set expectations for awareness and readiness among responsible personnel
• Plan Testing - verify operational readiness and identify gaps before a real-world incident
• Post-Test Analysis and Update Schedule – specify how lessons learned are incorporated and how frequently the Plan is reviewed and updated
• Third-Party Assessment - obtain independent validation of the Plan’s sufficiency and effectiveness

Template

Here is a non-normative template based on requests from CAs for guidance on complying with MRSP section 6.1.3, which requires that CAs maintain and test a mass revocation plan. The following is informational and illustrative only, and provided here for discussion and suggestions on its improvement. The template below also provides a sample definition of "Mass Revocation Event".

Mass Revocation Incident Preparation and Testing Plan (MRIP&TP)

Certification Authority (CA) Operator

Version History

Version History

Date	Description of Changes	Version
2025	Original	1.0
2025-04-29	Added "required plan elements"	1.1

CA Operator Contact Information

[Company Name] [Address] [Telephone] [Email]

---

1. Introduction

The management of [CA Operator] recognizes that the continuity of essential CA services depends on effective certificate revocation and replacement processes. These processes rely on robust IT infrastructure, effective customer communication, and rapid response capabilities.

To mitigate risks associated with a Mass Revocation Event (MRE), which could cause disruption to customers, financial losses, and damage to trust, management has authorized the development, implementation, and maintenance of this Mass Revocation Incident Preparation and Testing Plan (MRIP&TP).

The MRIP&TP is aligned with [CA Operator] policies, compliance obligations, and industry best practices. It provides a framework for MRE response, customer communication, certificate replacement, revocation, and plan testing. This plan also aims to ensure compliance with industry and root store requirements, such as the CA/Browser Forum TLS Baseline Requirements and Mozilla Root Store Policy.

2. Mission and Objectives

The mission of this plan is to ensure a well-coordinated, rapid, and effective response to a Mass Revocation Event while maintaining compliance and minimizing disruptions.

Plan objectives are to:

• Define clear roles and responsibilities for the teams assigned with handling MREs.
• Identify critical processes and time-sensitive milestones for mass revocation preparedness.
• Provide timely, clear communication to customers and other stakeholders to minimize disruptions.
• Develop and document certificate revocation strategies and procedures to ensure swift certificate replacement and compliance with revocation deadlines.
• Report any delayed revocations to Bugzilla.
• Improve readiness through effective training, testing, and continuous improvement of mass revocation procedures.

3. Scope

This plan applies to the scoping, implementation, execution, review, training, testing, and improvement of mass revocation processes at [CA Operator]. It supports compliance with Mozilla Root Store Policy Section 6.1.3 and covers:

• Maintenance of a well-documented and actionable mass revocation plan.
• Rapid communication with customers and affected third parties.
• Certificate replacement strategies.
• Revocation execution and publication of certificate status.
• Operational coordination and team responsibilities.
• Compliance with CA/Browser Forum requirements.
• Demonstrating implementation and feasibility through annual testing (simulations, tabletop exercises, or controlled test environments).
• Incorporating lessons learned by making plan improvements.
• Third-party assessment and external compliance evaluation.

4. Classification

4.1 Definition and Declaration of an MRE

[Required Plan Element: Activation Criteria - clearly define the conditions under which the Plan is triggered]

A Mass Revocation Event (MRE) is defined as:

The revocation of a substantial number of TLS server certificates within a relatively short timeframe due to a common cause, compliance requirement, or security incident. The impact threshold is based on the CA’s total issuance volume and operational scale.

A Mass Revocation Event would be triggered, and this plan activated, based on:

• Absolute Volume Impact – Affects ≥ 100 TLS certificates.
• Relative Issuance Impact – Affects ≥ 1% of the CA’s active TLS certificates.
• Timeframe Impact – Requires revocation within timeframes set forth in section 4.9.1.1 of the TLS Baseline Requirements.
• Operational Burden – Requires major customer outreach, urgent operational changes, or compliance reporting.

Or in response to any of the following:

• Compromise or suspected compromise of a CA private key.
• Compliance failures affecting a X number of TLS server certificates.
• Discovery of a major vulnerability impacting server private keys (e.g., HeartBleed).

The Management Team will assess and declare a Mass Revocation Event based on these criteria.

4.2 Customer Contact Information

[Required Plan Element: Customer Contact Information – specify how contact information is stored and kept up to date]

4.3 Identification of Manual and Automated Processes

[Required Plan Element: Automation Points – identify which tasks are automated (or can be automated) and which require manual action]

5. Decision Points and Strategies

5.1 Initial Assessment and Activation

Upon identification of a potential MRE, the Management Team will:

1. Assess the incident’s scope and severity against the defined MRE criteria.
2. Issue an internal alert to notify team members of possible activation.
3. Determine affected certificate population and impacted customers.
4. Estimate timelines required to perform notification, replacement, and revocation.
5. Initiate a conference call to validate findings and coordinate response.
6. Mobilize internal teams and notify external stakeholders as needed.

5.2 Response Phases

[Required Plan Element: Targets and Timelines - each phase should have targets and timelines (for triage, revocation initiation, certificate replacement, and updating the Plan]

An MRE will be managed in four structured phases:

Phase 1 – Customer Communication

[Required Plan Element: Subscriber Notification Methods - clearly describe mechanisms (e.g. email, system dashboards, automation tooling) for reaching impacted subscribers]

• Issue early notification to affected customers.
• Provide guidance on certificate replacement timelines and procedures.
• Engage technical support teams for high-priority customers.
• Targets for contacting and communicating with customers.

Phase 2 – Certificate Replacement

• Automate renewal or reissuance where possible.
• Offer manual assistance for complex cases.
• Monitor progress and address replacement delays.
• Targets for certificate replacement.

Phase 3 – Certificate Revocation

• Execute mass revocation in compliance with industry timelines.
• Publish updated CRLs and OCSP responses within expected timeframes.
• Report delayed revocations if necessary.
• Targets for certificate revocation.

Phase 4 – Post-Mortem and Improvement

• Conduct an internal review of response effectiveness.
• Document lessons learned and areas for improvement.
• Update MRIP&TP based on findings.
• Targets for these three tasks.

6. Response Team Organization and Responsibilities

[Required Plan Element: Role Assignments - clearly identify roles and responsibilities for those who initiate and execute the Plan]

6.1 Organizational Chart

Response Team Roles

Team and Team Leader	Role	Responsibilities
Management Team - [Name]	Senior Leadership	Approves, monitors, and authorizes mass revocation responses.
Customer Relations Team - [Name]	Public Relations and Support	Communicates with customers and handles inquiries.
Certificate Replacement Team - [Name]	Validation and Technical Support	Assists customers with certificate replacement.
Certificate Revocation Team - [Name]	Compliance and Operations	Executes revocation and publishes status updates.
External Communications - [Name]	Legal and Policy	Notifies root stores, regulators, and stakeholders.
Compliance and Legal Teams - [Name]	Risk and Governance	Ensures adherence to legal and compliance obligations.

7. Plan Training, Testing, and Continuous Improvement

7.1 Training and Awareness

[Required Plan Element: Training and Education - set expectations for awareness and readiness among responsible personnel]

• All team members must undergo initial onboarding and annual training on mass revocation response procedures.
• Regular testing exercises will be conducted to evaluate readiness.

7.2 Plan Testing and Simulation

[Required Plan Element: Plan Testing - verify operational readiness and identify gaps before a real-world incident]

• The plan will be tested at least once every 12 months.
• Simulated revocation scenarios will assess:
  • Effectiveness of customer communication.
  • Speed and accuracy of certificate replacement.
  • Efficiency of revocation execution.

7.3 Continuous Improvement

[Required Plan Element: Post-Test Analysis and Update Schedule – specify how lessons learned are incorporated and how frequently the Plan is reviewed and updated]

8. Third-Party Assessment

[Required Plan Element: Third-Party Assessment - obtain independent validation of the Plan’s sufficiency and effectiveness]

• Engage a third-party assessor annually, beginning with the CA’s next audit cycle occurring on or after June 1, 2025.
• Provide documentation demonstrating that:
  • The MRIP&TP is well-documented and actionable.
  • Testing exercises have been conducted and documented.

9. Conclusion

This Mass Revocation Incident Preparation and Testing Plan is a critical component of [CA Operator]’s commitment to operational resilience and compliance.