Mozilla considers removing Trustwave CA
Scandalised by the snooping certificate issued by Trustwave, a heise Security reader, Sebastian Wiesinger, has submitted a report to Mozilla's bug database in which he requests that Trustwave's root certificates be removed from all Mozilla products. Mozilla's Kathleen Wilson, who handles the issue, has accepted the submission and requested a statement from Trustwave. Trustwave's Brian Trzupek has already announced the release of further information which, he says, is still waiting for internal approval.
Yesterday, The H's associates at heise Security reported on the first publicly known case in which a widely accepted Certificate Authority sold a root certificate for surveillance purposes. Although Trustwave has said that the case was a one-off, that any misuse was impossible and that the certificate in question has since been revoked, critics think that the issuer has violated the Mozilla CA Certificate Policy. Among other things, this policy states that CAs must not knowingly issue certificates without the knowledge of the entities whose information is referenced in the certificates.
Interestingly, Trustwave also said that its actions are common practice with many CAs. Symantec, who purchased the biggest Certificate Authority, VeriSign, and is one of the major suppliers of Data Loss Prevention products, has so far not responded to questions on this subject that were asked before the article was published yesterday.