Mozilla has warned certificate authorities included in its root CA Certificate Program that they only have a few weeks left to comply with the company’s new policy, which requires CAs to adhere to the CA/Browser Forum Baseline Requirements and provide proof of audits of their subordinate certificates. The company made the policy change last year, but gave CAs about a year to comply and now that grace period is running out.
Mozilla officials first began discussing the change to the CA policy more than two years ago, and it prompted a lot of discussion among CAs. The big change is that Mozilla wants subordinate CAs–meaning those that chain up to a root certificate in the company’s Certificate Program–to be audited or have technical constraints placed on the way that their keys are used by subordinate CAs.
In the email sent to CAs on Wednesday, Kathleen Wilson of Mozilla said that CAs need to respond by May 30 with some specific information about the way they handle subordinate CAs.
“Ensure that Mozilla’s spreadsheet of included root certificates has the correct link to your most recent audit statement, and that the date of the audit statement is correct. As per Mozilla’s CA Certificate Maintenance Policy, we require that all CAs whose certificates are distributed with our software products provide us an updated statement annually of attestation of their conformance to the stated verification requirements and other operational criteria by a competent independent party or parties,” the email says.
The change by Mozilla is the result of a number of highly publicized breaches at certificate authorities and the use of stolen certificates in malware campaigns and targeted attacks. A handful of CAs, including DigiNotar and Comodo, have been compromised in the last few years, and in some cases fraudulent certificates have been issued for high-profile sites and used in attacks.
The change by Mozilla is a step in the direction of exerting tighter controls on CAs. The root CAs that are included in browsers such as Firefox, Internet Explorer and Chrome are built in and users typically have little visibility into who the companies behind these CAs are and whether they’re trustworthy. Mozilla officials see this change to its CA Certificate Policy as a way to get a better handle on how CAs operate.
“Participation in Mozilla’s CA Certificate Program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe. Nevertheless, we believe that the best approach to safeguard that security is to work with CAs as partners, to foster open and frank communication, and to be diligent in looking for ways to improve,” Wilson said in the email.