CA/Root Inclusion Considerations
Root Inclusion Considerations
This page provides guidance to help make difficult root inclusion decisions more deterministic. This page is intended to be used as a tool for identifying when a CA Operator's root inclusion request should be denied, or when a CA's root certificate should be removed from Mozilla's root store.
Mozilla’s Root Store Policy says:
- We will determine which CA certificates are included in Mozilla's root store based on the risks of such inclusion to typical users of our products.
- We reserve the right to not include certificates from a particular CA operator in our root store. This includes (but is not limited to) cases where we believe that a CA operator has caused undue risks to users’ security, e.g. by knowingly issuing certificates without the knowledge of the entities whose information is referenced in those certificates ('MITM certificates').
- Mozilla is under no obligation to explain the reasoning behind any inclusion decision.
When concerns are raised about a CA operator that currently has root certificates included in Mozilla's root store, Mozilla will take the steps described here: https://wiki.mozilla.org/CA/Maintenance_and_Enforcement#Potential_Problems.2C_Prevention.2C_Response
For the following circumstances, Mozilla should deny the CA operator's root inclusion request. If the CA operator currently has root certificates in Mozilla's root store, then Mozilla should remove those root certificates or set them to be distrusted after a specified date.
- There is Reasonable suspicion that the CA is closely tied, through ownership or operation, to a company engaged in any of the following:
- the distribution of malware or spyware;
- network surveillance that intercepts/manipulates traffic or collects private information about a person or organization and sends it to another entity without the permission of the person or organization, or in a way that endangers the privacy or device security of the person or organization; or
- cyber espionage that aims to obtain private information from a person or organization without the knowledge or permission of the person or organization for personal, economic, political or military advantage.
- The CA operator is in a global region that cannot use the CCADB (per the "Export Compliance" section of the Salesforce Master Subscription Agreement), or is not capable of entering into a contractual agreement with a US-based company.
- The CA operator appears to have:
- Deliberately violated the version of Mozilla's Root Store Policy or other applicable policy that was in effect at the time that the violation occurred; or
- Lied, concealed, or failed to disclose the full extent of a problem; or
- Made intentionally deceptive or recklessly misleading claims relating to operation of the CA or the use of its certificates.
- The CA operator has:
- Repeated incidents of certificate mis-issuance that the CA operator previously claimed to have resolved;
- Failed to identify and remediate the root cause of their incident of certificate mis-issuance; or
- Demonstrated insufficient quality or competence in their CA’s operations by frequently mis-issuing certificates, especially when such mis-issuance would be prevented by pre-issuance lint testing.
Mozilla may deny a root inclusion request for reasons or behaviors not listed on this page.
The following situations are concerning in aggregate; meaning that a concern would be raised when a collection (several) of the main bullet points below happen. These concerns in aggregate may lead to Mozilla denying the CA operator's root inclusion request. If the CA operator currently has root certificates in Mozilla's root store and these concerns in aggregate apply, then Mozilla should perform a risk versus value assessment, and may remove those root certificates or set them to be distrusted after a specified date.
- The CA’s provided address is a P.O. box, mail drop, or an address shared with numerous other companies/entities. (e.g. shell corporate registry)
- The CA is using an auditing organization (ETSI, WebTrust) that has not audited other publicly trusted CAs whose root certificates are included in browser root store programs, and the Auditor Qualifications indicate that the audit team is inexperienced in auditing CA operations, public key infrastructure, trust services or similar information systems.
- New auditors are allowed under the condition that the CA ensures that the Audit Team is lead by third-party specialists or affiliate audit firms who are experienced in auditing publicly trusted CAs, and this information must be provided as part of the Auditor Qualifications.
- The CA's representatives are not fully transparent on matters such as legal domicile and Control.
- "Control" (and its correlative meanings, "controlled by" and "under common control with") means possession, directly or indirectly, of the power to: (1) direct the management, personnel, finances, or plans of such entity; (2) control the election of a majority of the directors ; or (3) vote that portion of voting shares required for "control" under the law of the entity's Jurisdiction of Incorporation or Registration but in no case less than 10%.
- The CA's representative is unable to demonstrate that the CA has implemented anti-corruption mechanisms (e.g. ISO 37001 certification) and the CA has physical, monetary, or business nexus to a government of a country that
- The CA is (or the CA's owning entities are) associated with a government that has or is forcing end-users to install a government-issued root certificate on their devices, or the government has used certificates issued by the CA to intercept network communications.
- The CA is (or the CA's owning entities are) owned or funded by an individual or government organization that is known to also own or fund a vendor that has provided software being used for network surveillance or cyber espionage to obtain private information about people or organizations without their knowledge or permission in a way that endangers the privacy or device security of those people or organizations.
- The CA uses a shell company, an acquisition, or other misdirection to divert attention away from their relationship with another organization or government.
Warning signs for CA operators who have requested inclusion of their root certificates in Mozilla’s Root Store include but are not limited to the following. CA operators exhibiting these warning signs will have to either improve their operations and demonstrate their ability to maintain the higher level of operations, or their root inclusion request will be denied.
- Has Certificate Change Prioritization score of P4 or P5.
- Fails to provide prompt, detailed, public, and transparent responses to Mozilla inquiries about their CA operations, root inclusion requests, policy documents, audit statements, and incidents.
- Is not a voting member, associate member, or interested party participating in the CA/Browser Forum (CABF) Server Certificate Working Group (when applying for the Websites trust bit) or the CABF S/MIME Certificate Working Group (when applying for the Email trust bit).
- Is a Super-CA that signs the certificates of subordinate CAs to only show that they have been accredited or licensed by the signing CA (i.e. the super-CA does not guarantee that their subCAs comply with the BRs and Mozilla’s root store policy.
- Has audit statements from an auditor whose auditor qualifications are insufficient or do not pass the verification checks for WebTrust auditors or ETSI auditors.
- Has non-contiguous audit periods; meaning that there is one day or more between consecutive audit periods.
- Does not fully comply with the CABF Baseline Requirements that are relevant to the trust bits they are applying for.
- Does not fully comply with Mozilla’s Root Store Policy or
- Does any of the activities listed in https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Forbidden_Practices
- Demonstrates unacceptable behavior in Mozilla's dev-security-policy discussion forum, as per Mozilla’s Community Participation Guidelines.
- Fails to follow the CCADB Public Code of Conduct when posting in the CCADB Public discussion forum.