UPDATED–A certificate authority in Malaysia has had to revoke 22 certificates it issued with weak keys and missing extensions. The problem has prompted Mozilla to revoke trust in the intermediate certificate authority from Digicert Sdn. Bhd., and Microsoft said it plans to take the same actions, as well.
A statement from Entrust, which issued the intermediate certificate to Digicert, says that there is no evidence that the CA has been compromised. However, the problem is serious enough that Mozilla moved quickly with its decision to remove the Digicert CA from its list of trusted roots. The Digicert CA in Malaysia is not affiliated with DigiCert, the U.S.-based certificate authority.
“Entrust, Inc., a certificate authority in Mozilla’s root program, has informed us that one of their subordinate CAs, the Malaysian company DigiCert Sdn. Bhd, has issued 22 certificates with weak keys. While there is no indication they were issued fraudulently, the weak keys have allowed the certificates to be compromised. Furthermore, certificates from this CA contain several technical issues. They lack an EKU extension specifying their intended usage and they have been issued without revocation information,” the statement from Mozilla says.
“This is not a Firefox-specific issue. Nevertheless, given our concerns about the technical practices of this certificate authority, we intend to revoke trust in the DigiCert Sdn. Bhd. intermediate certificate authority.”
Entrust said that in addition to the weak, 512-bit encryption keys associated with the certificates, the certs also are missing some extensions that provide technical data about their contents.
“Entrust has issued an intermediate CA certificate (cross certificate) to Digicert Malaysia which has been licensed for distribution with SSL and S/MIME certificates. Entrust issued the intermediate CA certificate in July of 2010. It has been discovered that Digicert Malaysia has issued certificates with weak 512-bit RSA keys and missing certificate extensions. Their certificate issuing practices violated their agreement, their CPS, and accepted CA standards. Digicert Malaysia has revoked all of the 512-bit certificates (twenty-two) that they issued and have made them available to major browser vendors to blacklist as they deem appropriate,” the Entrust advisory says.
The company said that it plans to revoke the Digicert intermediate CA by Tuesday, Nov. 8. Mozilla did not specify exactly when it will revoke trust in the Digicert certificates, but said that the updates would be in Firefox 8 and 3.6.24.
“There is no indication that any certificates were issued fraudulently, however, these weak keys have allowed some of the certificates to be compromised. These compromised certificates could allow an attacker to impersonate the legitimate owner and make a user believe they are trusting a website or signed software that was created for malicious use. The subordinate CA has clearly demonstrated poor CA security practices and Microsoft intends to revoke trust in the intermediate certificates,” Microsoft’s Jerry Bryant said in a blog post.
The problems for Digicert are the latest in a year when CAs have been under assault by attackers. The Comodo compromise in March was the first high-profile incident, and was followed this summer by the attack on DigiNotar, which eventually resulted in the CA going out of business.
This post was updated on Nov. 4 to add information about Microsoft revoking trust in the Digicert CA.