Mozilla has released version 3.1 of its Mozilla Root Store Policy (MRSP), introducing new requirements aimed at improving transparency and oversight across the public Web PKI.
The updated policy, which takes effect on July 1, 2026, focuses on stronger Certification Authority (CA) documentation and enhanced audit reporting.
While previous Root Store Policy revisions focused on certificate revocation, automation, and operational resilience, version 3.1 shifts attention to making CA operations easier for Mozilla, auditors, and the security community to review.
Mozilla operates one of the industry's major root certificate programs, with its Root Store used by Firefox and other software that relies on Mozilla's trusted certificate list. Certification Authorities included in the Root Store issue TLS certificates that authenticate websites and encrypt internet traffic, making their security practices critical to web security.
One of the most significant changes in MRSP 3.1 is stricter requirements for Certification Practice Statements (CPS) and combined Certificate Policy/Certification Practice Statement (CP/CPS) documents, which describe how a CA manages certificate issuance and operations.
Mozilla says the quality of these documents has varied considerably across certificate authorities, with some providing detailed technical descriptions while others rely on broad summaries or references to external documents. The updated policy continues to require compliance with RFC 3647 and applicable CA/Browser Forum requirements but adds clearer expectations for documentation quality. CP/CPS documents must explicitly describe certificate issuance and management processes, define operational boundaries, support auditing, and include version control and maintenance procedures.
The second major addition is a new audit artifact called the Detailed Controls Report (DCR). Beginning with audit periods starting on or after July 1, 2027, certificate authorities with root certificates enabled for TLS website authentication must obtain a DCR alongside traditional WebTrust or ETSI audit reports.
Unlike traditional audit reports, which primarily confirm compliance with established standards, DCRs must document the scope of audited CA systems, applicable audit criteria, implemented controls, auditor testing procedures, testing results, and any identified deficiencies or exceptions. Mozilla says it expects to review these reports only when needed, such as during compliance reviews, incident investigations, or root inclusion evaluations.
MRSP 3.1 also aligns Mozilla's mass revocation planning requirements with the CA/Browser Forum Baseline Requirements, clarifies audit expectations for root inclusion requests, and requires root CA key pairs submitted for inclusion to have been generated within the previous five years. The policy also requires timely notification when ownership or operational control of a CA changes so Mozilla can evaluate any compliance implications.
Mozilla says these changes are intended to improve oversight and help reduce the risk of certificate misissuance by making CA operations more transparent and auditable.
Leave a Reply