Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Mozilla Updates CA Certificate Policy

Mozilla announced an update to their CA Certificate policy on Friday, including changes on compliance and auditing. The update, the organization explained in a blog post, continues their efforts towards stronger controls and visibility.

Mozilla announced an update to their CA Certificate policy on Friday, including changes on compliance and auditing. The update, the organization explained in a blog post, continues their efforts towards stronger controls and visibility.

“Mozilla is working towards stronger controls and visibility of publicly-trusted issuing certificates in order to make better trust decisions, detect security incidents faster, and limit the impact of each security incident,” a blog post from the Mozilla Security Team explained.

Version 2.1 of the CA Certificate policy encourages CAs to constrain subordinate CA certificates using X.509 extensions (RFC 5280) to restrict usage. However, the post adds that Mozilla knows such constraints may not be practical in some cases. Therefore, subordinate CA certificates may instead be publicly disclosed, and audited in accordance with Mozilla’s CA Certificate Policy.

All subordinate CA certificates that are issued after May 15, 2013 must comply with the new CA Certificate policy within one-year, accounting for the impact these changes may have to large organizations that will need to plan for new infrastructure and auditing.

Moreover, another change in the policy centers on baseline requirements, or BRs, which provide clear standards on important subjects including verification of identity, certificate content and profiles, CA security, revocation mechanisms, and use of algorithms and key sizes.

Mozilla says that CAs will be required to update their operations and SSL certificate issuance to comply with version 1.1 of the CA/Browser Forum’s BRs immediately.

“As of February 2013, SSL certificate issuance must be audited according to the BR criteria, but initial BR audits for each CA and subCA that include a reasonable list of exceptions will be considered and potentially accepted,” Mozilla said.

Last year, after Trustwave caused a scuffle over subordinate certificates, Mozilla re-visited their CA policy, including what happens if partners and vendors fail to meet expectations.

Advertisement. Scroll to continue reading.

“Participation in Mozilla’s root program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe, up to and including the removal of root certificates that mis-issue, as well as any roots that cross-sign them…”

Version 2.1 of the CA Certificate Policy is available here

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet