The news about digital certificates {Chapter 12 Security+ 4ed} just won't end this week.  First there was the news that Google Chrome not longer will be using the Online Certificate Status Protocol (OCSP) to check revoked certificates online (see Feb 12 2012 blog posting).  Next came news that the first baseline requirements for digital certificates is being distributed by the CA/Browser Forum (see Feb 14 2012 blog posting).  Now it's Mozilla asking all certificate authorities (CAs) {Chapter 12 Security+ 4ed} to revoke digital certificates that could be used for open spying.

   Many companies want to inspect Secure Sockets Layer/Transport Layer Security (SSL/TLS) encrypted transmissions that are based on digital certificates {Chapter 12 Security+ 4ed}.  They do this to watch for any data leaks or to detect internal policy violations.  So CAs can issue a digital certificate to a company allowing it in turn to issue valid certificates for any server--ANY server (as it turns out this is a relatively common practice in the industry).  The certificate, known as a subordinate root, can enable its owner to sign digital certificates for virtually any domain on the Internet. Yet this use of "sub-CA certificates" to watch enterprise-based communications can be dangerous.  What if these companies want to spy on traffic for domains that they don't control?  And what happens if such a certificate is stolen? 

   Mozilla, who is behind the Web browser Firefox, says that this is a violation of its CA policy (see https://wiki.mozilla.org/CA:SubordinateCA_checklist).   So Mozilla has send a communication to all CAs asking that they not only reveal information about similar "sub-CA certificates" but also to revoke them.  If they do not do so after a grace period (this period has yet to be decided, but may be between 2-3 months), then Mozilla's Firefox will have their root keys removed from Mozilla's products and all digital certificates the CA ever signed would result in an error when opened in Firefox (ouch!).  Mozilla will also need the help of all the other browser vendors to do the same. 

   There is an outcry in the CA industry.  Some say that Mozilla should not be trying to force CAs to support Mozilla's policy.  Others say that a 6 month grace period is needed, while some say that there should be no grace period at all.

   Stay tuned, and stay secure!

http://www.cengage.com/community/infosec