Mozilla calls security audit of all CAs

Mozilla calls security audit of all CAs

After the compromise of the certificate issuer Dutch DigiNotar, Mozilla has a warning e-mail addressed to all CAs whose root certificate in Firefox and Thunderbird are included. The person responsible for the CAmanager Kathleen Wilson calls on the CA, a security check of Public Key Infrastructure (PKI) and carry the result to 16 September to send to Mozilla.

Wilson also calls that set up block lists for particularly prominent domains such as Google.com or Facebook.com are. Before a certificate is issued for such domain, the CA should check this manually. Also, the test procedure is applied in such a case, to disclose the CAs compared to Mozilla.

Allows the CA to another party to issue certificates, a CA must restrict the issuance of a whitelist or send all details about the issuer and its business practices to Mozilla. In addition, all user accounts that are authorized to issue certificates, are protected by a multi-factor authentication.

If you remove the certificate of a compromised CA from the list of trusted CAs work on the certificates it issues through cross-signing with another CA in some circumstances. Why Mozilla is now demanding a better overview of the linkages between the CAs and wants a list of all cross-signing the CA partners.

Exists in the CA is a suspicion that it could be also have been the victim of a hacker attack that will be the operator must immediately set in conjunction with Mozilla. How many of the smaller but actually heed the CAs, is questionable: As soon as the browser makers remove the root certificate that came with is the financial basis of the CA destroyed.

Meanwhile, the Austrian CERT is in an interim report IT managers tips on hand, how to protect themselves from the effects of DigiNotar hacks. The CERT advises to replace DigiNotar still in use certificates to other CAs and certificates from a root certificates and revocation lists up to date bring. In addition, the company will lay out a contingency plan in case, in which the CA that issues certificates for the company compromised.