A heated debate has unfolded after Trustwave made public their decision to revoke a subordinate root certificate it issued to a company that allowed it to intercept their employees’ private email communication.
A number of experts have made their opinions known on Mozilla’s Bugzilla system and for a while there it seemed that Trustwave could suffer Diginotar’s fate and have its root certificate removed from Firefox.
The option was backed, among others, by security researcher Christopher Soghoian, who pointed out that Trustwave knew when it issued the certificate that it would be used to sign certificates for websites not owned by its corporate customer, effectively mounting Man-in-the-Middle attacks.
“Regardless of the fact that Trustwave has since realized that this is not a good business practice to be engaged in, the damage is done,” he noted. “With root certificate power comes great responsibility. Trustwave has abused this power and trust, and so the appropriate punishment here is death (of its root certificate).”
A number of others sided with him and felt that there was a need to set a precedent that will send a message that violating of Mozilla’s CA policy will not be tolerated.
“My personal opinion: I would like to impress upon the CAs the seriousness of this, and that if any of them do have this type of subCA it needs to be revoked. However, I think that the “death sentence” for this CA would be extreme,” commented Mozilla’s Kathleen Wilson, and later added a link to a open discussion about a the email that Mozilla plans to send to all CAs in its root program regarding this issue.
“My intent is to make it clear that this type of behavior will not be tolerated for subCAs chaining to roots in NSS, give all CAs fair warning and a grace period, and state the consequences if such behavior is found after that grace period,” she wrote. “There is also an action item for CAs to update their CP/CPS to make it clear that they will not issue subCAs for this purpose.”