MRSP 3.1: Results of CA Communication and Survey

[Ben Wilson]

All,

Thanks to the CA Operators who participated in the recent survey regarding the proposed changes for Mozilla Root Store Policy (MRSP) version 3.1.  We received substantial, thoughtful, and constructive feedback, which provided useful insight into both implementation challenges and areas needing more clarity.  We are currently reviewing the responses, and I'll be making revisions to the draft MRSP v3.1 where appropriate based on that input.

In parallel, I am preparing summaries of the survey results, which I will publish on the Mozilla wiki.

Thanks,

Ben Wilson
Mozilla Root Program

[Ben Wilson]

Hello everyone,

Thanks to the CA operators who participated in the recent Mozilla CA Operator Communication and Survey regarding the proposed Mozilla Root Store Policy (MRSP) v3.1 changes.

We have now published an anonymized copy of the survey responses on the Mozilla CA wiki:

https://wiki.mozilla.org/CA/Communications#May_2026_CA_Communication_and_Survey

Company names and respondent names have been removed. The published responses are intended to provide transparency into the feedback received and to assist the community in understanding the issues raised during the review period.

Based on the feedback received, I have revised sections 3.1.5 and 3.3 of the draft MRSP:

• Section 3.1.5 (Detailed Controls Reports)
• Section 3.3 (CPs and CPSes)

These revisions are intended to address many of the comments submitted by CA operators, including questions relating to audit framework flexibility, confidentiality protections, audit timing, externally-operated subordinate CAs, CP/CPS documentation structure, incorporation by reference, version history, certificate profile disclosures, repository requirements, and protection of security-sensitive information.

In particular, the revised DCR language now clarifies that:

• Multiple audit frameworks may be used, including ETSI-based reports, provided the required information is present;
• DCRs are not required to be publicly disclosed;
• Mozilla may request existing DCRs for supervisory review purposes;
• Confidentiality protections and limited redactions are permitted; and
• The requirement applies to annual audit periods beginning on or after July 1, 2027.

The revised CP/CPS provisions further clarify expectations regarding implementation commitments, sufficiency of disclosure, incorporation by reference, documentation structure, certificate and revocation profiles, version history, and maintenance of current and accurate documentation.

A recurring theme in the survey responses was a request for examples and implementation guidance rather than additional policy text. In response, I am preparing companion wiki guidance for both CP/CPS Documentation and Detailed Controls Reports. The guidance is expected to include illustrative examples, frequently asked questions, and practical implementation considerations intended to promote consistent interpretation of the requirements while preserving flexibility in how CA operators meet them.

Please review the updated draft language and survey responses and provide any additional comments as soon as practical. My goal is still to complete the remaining updates and publish MRSP v3.1 with an effective date of June 15, 2026.

Thank you again to everyone who took the time to review the proposed changes and provide feedback.

Ben Wilson
Mozilla Root Program