136
edits
Changes
→Who May Apply: Updated to align with version 2.6 of policy that removed requirement that roots benefit Mozilla users.
CAs must carefully consider whether their root certificate needs to be [[CA/Included_Certificates|directly included in Mozilla's root store]] or if it would be better to be a [[CA/Intermediate_Certificates|subordinate CA of an already-included CA]].
Having a root certificate you control included in Mozilla's root store is a significant major ongoing responsibility; it is '''not''' a one-time trivial effort. It means that, in the normal case, the world will trust you to correctly issue digital certificates identifying any websiteand/or email address. There will be associated costs in maintaining the required security infrastructure , keeping up-to-date with evolving technical and having it audited procedural requirements, and conducting audits on a yearly an annual basis. After a CA has a certificate included in Mozilla's root store, it is expected that the CA will continue to be aware of [https://groups.google.com/forum/#!forum/mozilla.dev.security.policy ongoing discussions] and updates to [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's Root Store Policy]. The CA is required to send regular updates to Mozilla via the [http://ccadb.org/ Common CA Database (CCADB)], including annual updates to their policy and audit documentation.
= Process Overview =