Mozilla Proposes Change to Handling of Subordinate CA Certificates

Mozilla is considering a change to the way that it handles certificates issued by externally operated sub-CAs in an effort to gain more control of how these CAs issue certificates and what those certificates can do. 

Mozilla is considering a change to the way that it handles certificates issued by externally operated sub-CAs in an effort to gain more control of how these CAs issue certificates and what those certificates can do. 

The proposal would involve some new controls to help verify that certificates are using keys in the correct ways and aren’t abusing their position in the certificate chain. 

“The proposal is that the EKU [extended key usage] would be specified in the intermediate certificates, and the crypto code would look up the certificate chain at the EKU extensions to make sure that the end-entity certificate is allowed to be used for that purpose. The old NSS code does this if the EKU extension is present in the intermediate certificate, but the new libpkix code doesn’t currently do this,” Mozilla’s Kathleen Wilson wrote in a message on a Google group about the proposed change. “I propose that we consider using EKU in this way and requiring it in Mozilla’s CA Certificate Policy for externally-operated subordinate CAs.”

The proposal sparked a long conversation among representatives of certificate authorities, some of whom questioned the idea of Mozilla requiring audits or other controls from companies that they don’t have any authority over. But Mozilla’s position is that CAs that want to be in its trusted root program need to conform to the rules it sets forth, and those may include the new constraints for externally operated subordinate CAs.

Specifically, Mozilla is asking that such subordinate CAs either be audited or have certain technical constraints placed on their usage of keys passed down from CAs farther up the chain.

“Each externally-operated subordinate CA that is not technically constrained must be publicly disclosed, along with the subordinate CA’s corresponding Certificate Policy or Certification Practice Statement and public attestation of the subordinate CA’s conformance to the stated certificate verification requirements and other operational criteria by a competent independent party or parties with access to details of the subordinate CA’s internal operations. The subordinate CA’s certificate verification requirements and operational criteria must satisfy the requirements of Mozilla’s CA Certificate Policy. The CA’s Certificate Policy or Certification Practice Statement must indicate where the list of publicly disclosed subordinate CAs may be found on the CA’s website,” the new proposed text reads. “For an externally-operated subordinate CA to be considered technically constrained, the subordinate CA certificate (and any intermediate certificates chaining up to that certificate) must include an Extended Key Usage (EKU) extension specifying the key usage of the certificates it can sign.”

The CA system has been a target of a lot of criticism in the last year or so, thanks mainly to a series of high-profile compromises of CAs such as DigiNotar and Comodo that resulted in fraudulent certificates being issued for a long list of domains. Those compromises led to a lot of public discussion about the structure of the CA system, the way in which its run and how easy it is for fraudulent or stolen certificates to end up in circulation. No major changes to the system itself have come from those conversations yet, but some of the browser vendors have been changing aspects of their root CA programs.

Suggested articles


  • Independent on

    Firefox is at it again. What's happened at Mozilla? Their behavior has become nothing short of suicidal!

    This "Lone wolf" tactic is akin to playing russian roullete. Mozilla is only one player in a growing field of browsers (with diminishing market share) because of their abandonment           of customer responsiveness) and acting alone will most likely result in being ignored by these independant sources. How long will a Mozillite (Firefox user) put up with an unresponsive (for whatever reason) browser? Not Very Long!

    All the major browser providers need to form an alliance and band together in this endeavor. Better yet, move this up to the supervisory authority level and redefine the protocol. 

  • Certificate Attestation on

    Mozila firefox active fast  and responsbility of all conditions.And more then uses for that browser.

  • Anonymous on

    Kudos to Mozilla for taking the lead on a growing issue.  To the individual who posted the first comment, choose whatever browser you like.  For me, I will always opt for the one that's most secure.  Today, that's Firefox.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.