Mozilla asks CAs in its root program to revoke all MitM certificates

Following the big brouhaha raised by Trustwave’s acknowledgement that it has revoked a “MitM” subordinate root certificate it issued to a business for its Data Loss Prevention system, Mozilla has sent an email to all the Certification Authorities participating in its root program asking them not to issue any more certificates for subordinate CAs which can be used to monitor encrypted data, and to revoke all such certificates they have already issued.

“As a CA in Mozilla’s root program you are ultimately responsible for certificates issued by you and any intermediate CAs that chain up to your roots,” says Kathleen Wilson, owner of Mozilla’s CA Certificates Module, in the email.

“After April 27, 2012, if it is found that a subordinate CA is being used for MITM, we will take action to mitigate, including and up to removing the corresponding root certificate. Based on Mozilla’s assessment, we may also remove any of your other root certificates, and root certificates from other organizations that cross-sign your certificates.”

She requires all CAs to reply to the request by March 2, and says that she will publish a compiled list of CA responses to all of the action items in the email.

As proof that they have revoked said certificate, she wants to see the certificate that signed the subCA, the serial number of the revoked certificate and the CRL that contains the serial number of the revoked certificate.

“Participation in Mozilla’s root program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe. Nevertheless, we believe that the best approach to safeguard that security is to work with CAs as partners, to foster open and frank communication, and to be diligent in looking for ways to improve,” she concluded.