Mozilla moves to limit risk of subordinate CA certificate abuse
Sub-CA certificates will need to have technical constraints or be publicly disclosed and audited, Mozilla's new CA Certificate Policy says
IDG News Service - Mozilla is taking steps to limit the risk of powerful subordinate Certificate Authority (CA) certificates falling into the hands of attackers and potentially being used to issue rogue certificates for use in SSL snooping attacks.
The browser maker updated its CA Certificate Policy with new requirements that will improve accountability for subordinate CA (sub-CA) certificates and will subject them to restrictions and independent audits.
Sub-CA certificates inherit the powers of the issuing Certificate Authority (CA) and can be used to issue SSL certificates for any domain names on the Internet that will be accepted by any browser trusting the issuing CA. Until now, this type of powerful certificate has not been strictly regulated and has not been subjected to the same security audits and controls as the root CA certificates that signed them. In some cases CAs do not even publicly disclose the sub-CA certificates they issue.
"Version 2.1 of Mozilla's CA Certificate Policy encourages CAs to technically constrain subordinate CA certificates using RFC 5280 extensions that are specified directly in the intermediate certificate and controlled by crypto code (e.g. NSS)," the Mozilla Security Team said Friday in a blog post. "We recognize that technically constraining subordinate CA certificates in this manner may not be practical in some cases, so the subordinate CA certificates may instead be publicly disclosed, and audited in accordance with Mozilla's CA Certificate Policy."
What this means is that sub-CA certificates must either have their power restricted through a set of extensions, or be held to the same standards as root CA certificates. In order for a sub-CA certificate to be considered publicly disclosed and audited, the CA must publish the certificate and the Certificate Policy or Certification Practice Statement used by the new subordinate CA, and the new sub-CA's internal operations must be audited annually by an independent party in order to attest its conformance to the certificate verification requirements.
All sub-CA certificates that are issued after May 15, 2013 must comply with the new version of Mozilla's CA Certificate Policy, and pre-existing sub-CA certificates must be updated to comply with the new policy by May 15, 2014.
"With these updates to Mozilla's CA Certificate Policy, we re-iterate our belief that each root is ultimately accountable for every certificate it signs, directly or through its subordinates," the Mozilla Security Team blog reads. "Participation in Mozilla's root program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe, up to and including the removal of root certificates that mis-issue, as well as any roots that cross-sign them."
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!