ComodoHacker’s claim to have access to more certificate authorities (CAs) than just DigiNotar has apparently prompted Mozilla to ask all other CAs to investigate their CA infrastructures for data breaches and confirm specific security barriers in their certificate issuing process.
Kathleen Wilson, CA certificates module owner at Mozilla, notified CAs that are supported by Firefox that Mozilla is expecting them to go through a list of requirements that has been created to safeguard Firefox users.
The CAs have until September 16 to
- audit their PKI and check their infrastructure for intrusions at CAs and RAs
- send Mozilla a list of cross-signed CA certificates - confirm that the CA requires multi-factor authentication - confirm that there are automatic and manual blocks in place for high-profile domain names - confirm technical controls to “restrict issuance” to certain domain names to third party CAs and RAs or provide a list of all third parties with links to their certification practice.Wilson noted that “Mozilla recently removed” the DigiNotar root certificate in Mozilla, because DigiNotar “failed to promptly detect, contain and notify Mozilla of a security breach regarding their root and subordinate certificates.” She did not explicitly threaten other CAs with root certificate removal, but said that “participation in Mozilla’s root program is a [Mozilla's] sole discretion” and that Mozilla “will take whatever steps are necessary to keep [its] users safe.” That said, Wilson also noted that Mozilla wants to work with CAs as “partners.”
To us, it is pretty clear what Wilson’s words mean. (We tend to think that Wilson wrote this post as Mozilla employee and in the name of Mozilla.) Failure to comply with its requests will result in certificate removal. The email is justified, even if its tone is a bit out of place. Security and trust in certificates has to be restored and, given the current situation, there isn’t much time. Better safe than sorry, I guess.
Daniel Bailey in Business on September 08
No comments:
Post a Comment