Amnesty for CA Violations

Wednesday, February 22, 2012 @ 04:02 PM gHale

Mozilla wants all certificate authorities (CAs) to revoke subordinate CA certificates used for corporate SSL traffic management, offering a reprieve to any CAs that breached Mozilla’s conditions for having their root certificates ship with its products.

The request comes after Trustwave issued a sub-CA certificate to a private company for use in a data loss prevention system.

RELATED STORIES
Unintended Man in the Middle
Advantech’s New Version of WebAccess
Cyber Report: Bad Guys Winning
Security Best Practices will Cut Downtime

Sub-CA keys can sign SSL certificates for any domain name on the Internet, which makes them very dangerous if they fall in the wrong hands.

Even though Trustwave said the sub-CA key in question was in a hardware security module (HSM), making it irretrievable, the fact that such a powerful certificate was issued to a private company that wasn’t a certificate authority, represents a violation of Mozilla’s policy for CAs.

Certificate authorities voluntarily adhere to Mozilla’s CA Certificate Policy in order to have their root keys included by default in Firefox, Thunderbird and other Mozilla products.

“Participation in Mozilla’s root program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe, up to and including the removal of root certificates that mis-issue, as well as any roots that cross-sign them,” said Johnathan Nightingale, senior director of Firefox Engineering at Mozilla.

Because there is reason to believe that multiple CAs engage in this type of behavior, Mozilla has decided to offer everyone a one-time chance to come clean about it without risking repercussions instead of making an example out of Trustwave, which would likely discourage similar disclosures.

“We believe that security is best served when browsers and CAs can work together; we hope that frank communication and clear expectations can resolve these issues before any such action is required,” Nightingale said.

Mozilla made its amnesty offer in an email to all CAs on Friday, asking them to revoke sub-CA certificates used for SSL man-in-the-middle interception or traffic management and to destroy the corresponding HSMs.

“We have requested the serial numbers of those certificates and fingerprints of their signing roots so that we, and other relying parties, can detect and distrust these subCA certificates if encountered,” Nightingale said.

CAs have until April 27 to comply with these requests. If they find those certificates after that date, the issuing CAs will face punishments including the removal of their root keys from Mozilla’s products.



Leave a Reply

You must be logged in to post a comment.