Mozilla moves to limit risk of subordinate CA certificate abuse
Sub-CA certificates will need to have technical constraints or be publicly disclosed and audited, Mozilla's new CA Certificate Policy says
IDG News Service - Mozilla is taking steps to limit the risk of powerful subordinate Certificate Authority (CA) certificates falling into the hands of attackers and potentially being used to issue rogue certificates for use in SSL snooping attacks.
The browser maker updated its CA Certificate Policy with new requirements that will improve accountability for subordinate CA (sub-CA) certificates and will subject them to restrictions and independent audits.
Sub-CA certificates inherit the powers of the issuing Certificate Authority (CA) and can be used to issue SSL certificates for any domain names on the Internet that will be accepted by any browser trusting the issuing CA. Until now, this type of powerful certificate has not been strictly regulated and has not been subjected to the same security audits and controls as the root CA certificates that signed them. In some cases CAs do not even publicly disclose the sub-CA certificates they issue.
"Version 2.1 of Mozilla's CA Certificate Policy encourages CAs to technically constrain subordinate CA certificates using RFC 5280 extensions that are specified directly in the intermediate certificate and controlled by crypto code (e.g. NSS)," the Mozilla Security Team said Friday in a blog post. "We recognize that technically constraining subordinate CA certificates in this manner may not be practical in some cases, so the subordinate CA certificates may instead be publicly disclosed, and audited in accordance with Mozilla's CA Certificate Policy."
What this means is that sub-CA certificates must either have their power restricted through a set of extensions, or be held to the same standards as root CA certificates. In order for a sub-CA certificate to be considered publicly disclosed and audited, the CA must publish the certificate and the Certificate Policy or Certification Practice Statement used by the new subordinate CA, and the new sub-CA's internal operations must be audited annually by an independent party in order to attest its conformance to the certificate verification requirements.
All sub-CA certificates that are issued after May 15, 2013 must comply with the new version of Mozilla's CA Certificate Policy, and pre-existing sub-CA certificates must be updated to comply with the new policy by May 15, 2014.
"With these updates to Mozilla's CA Certificate Policy, we re-iterate our belief that each root is ultimately accountable for every certificate it signs, directly or through its subordinates," the Mozilla Security Team blog reads. "Participation in Mozilla's root program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe, up to and including the removal of root certificates that mis-issue, as well as any roots that cross-sign them."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Is Your Big Data Solution Production-Ready? Read "Is Your Big Data Solution Production-Ready?" now, and discover best practices and actionable steps to implementing a production-ready big data solution.
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Simplify and Consolidate Data Protection for Better Business Results Learn about IBM® Tivoli® Storage Manager Operations Center, which provides advanced visualization, built-in analytics and integrated workflow automation features that leapfrog traditional backup...
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Desktop Apps White Papers | Webcasts