February 19, 2013, 4:50 PM — Mozilla is taking steps to limit the risk of powerful subordinate Certificate Authority (CA) certificates falling into the hands of attackers and potentially being used to issue rogue certificates for use in SSL snooping attacks.
The browser maker updated its CA Certificate Policy with new requirements that will improve accountability for subordinate CA (sub-CA) certificates and will subject them to restrictions and independent audits.
Sub-CA certificates inherit the powers of the issuing Certificate Authority (CA) and can be used to issue SSL certificates for any domain names on the Internet that will be accepted by any browser trusting the issuing CA. Until now, this type of powerful certificate has not been strictly regulated and has not been subjected to the same security audits and controls as the root CA certificates that signed them. In some cases CAs do not even publicly disclose the sub-CA certificates they issue.
"Version 2.1 of Mozilla's CA Certificate Policy encourages CAs to technically constrain subordinate CA certificates using RFC 5280 extensions that are specified directly in the intermediate certificate and controlled by crypto code (e.g. NSS)," the Mozilla Security Team said Friday in a blog post. "We recognize that technically constraining subordinate CA certificates in this manner may not be practical in some cases, so the subordinate CA certificates may instead be publicly disclosed, and audited in accordance with Mozilla's CA Certificate Policy."
What this means is that sub-CA certificates must either have their power restricted through a set of extensions, or be held to the same standards as root CA certificates. In order for a sub-CA certificate to be considered publicly disclosed and audited, the CA must publish the certificate and the Certificate Policy or Certification Practice Statement used by the new subordinate CA, and the new sub-CA's internal operations must be audited annually by an independent party in order to attest its conformance to the certificate verification requirements.
All sub-CA certificates that are issued after May 15, 2013 must comply with the new version of Mozilla's CA Certificate Policy, and pre-existing sub-CA certificates must be updated to comply with the new policy by May 15, 2014.
"With these updates to Mozilla's CA Certificate Policy, we re-iterate our belief that each root is ultimately accountable for every certificate it signs, directly or through its subordinates," the Mozilla Security Team blog reads. "Participation in Mozilla's root program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe, up to and including the removal of root certificates that mis-issue, as well as any roots that cross-sign them."