Mozilla calls for tighter controls on sub-CAs
If a proposal from Mozilla's Kathleen Wilson, who is responsible for Mozilla's CA module, is accepted, in future controls on sub-CAs will be tightened to prevent sub-CA certificates from being issued for surveillance purposes. This follows the recent disclosure that certification authority Trustwave had sold a sub-CA certificate to one company for the purpose of internal monitoring of its own staff.
If the proposal is adopted, externally-operated sub-CAs will have to publicly disclose their certificate policies and have them independently audited, mirroring the current practice for CAs. CAs will also have to keep public lists of all sub-CA certificates (also known as intermediate certificates) they have issued. Such a list would make it immediately obvious if a company is not actually issuing certificates to third parties.
The proposal provides for an alternative, under which CAs that do not want to publicly disclose this information would be permitted to severely restrict the rights of sub-CAs by using the Extended Key Usage (EKU) extension. If a sub-CA wanted, for example, to issue web site certificates, the CA would have to use name constraints (RFC 5280) to specify precisely which domains the subordinate certificate could issue certificates for. If the sub-CA were then to issue certificates for other, unauthorised domains, these certificates would be rejected by the user's browser.
Anyone failing to play by Mozilla's rules would risk being kicked out of its trusted root programme, with the result that Mozilla products would no longer regard them as trusted. A certification authority faced with this situation would have huge difficulties maintaining its position in the market.