Mozilla asks all CAs to carry out security audits
Following the attack on Dutch certification authority (CA) DigiNotar, Mozilla has sent a warning email to all CAs with root certificates in Firefox and Thunderbird. Kathleen Wilson, responsible for certificate management at Mozilla, is asking CAs to undertake a security audit of their public key infrastructure (PKI) and to forward the results to Mozilla by 16 September.
Wilson is also asking them to set up block lists for prominent domains such as google.com and facebook.com. She wants CAs to carry out manual checks before issuing certificates to such high profile domains. CAs are also being asked to disclose the checking process used in such cases to Mozilla.
CAs that permit third parties to issue certificates will be required to restrict this using a whitelist or send full details of the issuer and its business practices to Mozilla. All user accounts that are entitled to issue certificates must be protected by multi-factor authentication.
If a certificate for a compromised CA is removed from the list of trusted CAs, cross-signing with another CA could mean that certificates issued by the first CA will still be accepted. Consequently, Mozilla is now demanding more information on interlinking between CAs and has requested a list of cross-signing partners for each CA.
If a CA suspects that it may have been hacked, it is required to contact Mozilla immediately. Whether smaller CAs will really heed this advice is questionable, since removal of the root certificate from the browser vendor's download package would completely undermine their business model.
Austria's CERT has issued an interim report containing tips for IT bosses on how to protect themselves from the consequences of the DigiNotar hack. It is advising users to replace any DigiNotar certificates still in use with certificates from other CAs and to update root certificates and revocation lists. It is also advising companies to draw up emergency plans in the event that the CA that issues their certificates is compromised.