Mozilla is removing a Turkish root CA from the Firefox trust store, not because of a compromise or a mistakenly issued certificate, but because the certificate authority hasn’t lived up to the audit requirements Mozilla has for trusted CAs.
Like other browser vendors, Mozilla has a lengthy policy that sets out the requirements for CAs to be included in the trust store for its browser. That trust store is the heart of the way that users interact with secure sites, email servers and other entities that require trusted certificates. Each browser includes a default set of CAs and root certificates that the browser trusts and historically it’s been quite rare for browser vendors to remove a CA. But in the last few years, a series of attacks on CAs, compromises and certificate thefts has led to a handful of such incidents.
But this move by Mozilla is one of the few public incidents in which a browser vendor has removed a root CA for not meeting the policy requirements. The CA in this case is e-Guven Elektronik Bilgi Guvenligi A.S. in Turkey.
“The integrity of the secure Web depends on CAs issuing certificates that correctly attest to the identity of websites. Mozilla products ship a default list of CA certificates, which may change with each security patch or new version of the product. Inclusion of a CA certificate in Mozilla products involves a rigorous process and evaluation of the CA’s public-facing policy documentation and audit statements, in order to verify that the CA conforms to the criteria required by Mozilla’s CA Certificate Inclusion Policy,” Mozilla’s security team wrote in a blog post.
“The CA certificates included in the Mozilla list can be marked as trusted for various purposes, so that the software can use the CA certificates to verify certificates for (1) SSL/TLS servers, (2) S/MIME email users, and/or (3) digitally-signed code objects, without having to ask users for further permission or information.”
One of the requirements is an annual audit of the CA’s procedures and technical capabilities, and Mozilla officials said that e-Guven hasn’t had such an audit since 2013. Mozilla has contacted company officials a number of times, asking for information or audit statements and has gotten nothing in return.
The e-Guven root CA will be removed from Firefox starting with version 38.