Mozilla drafts changes to certificate policy
Mozilla is reviewing a final draft of its baseline policies to address problems in the way that internet certificates are issued.
(Glasses image by hm.matheus, CC2.0)
Mozilla wants Certificate Authorities (CAs) that issue certificates to adopt a standard that's been dubbed "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates" (PDF), published by the Certificate and Browser Forum and still in a final draft.
Mozilla consultant Kathleen Wilson said on a Mozilla development forum that CAs will have until 25 May to review the draft and voice concerns about how the requirements will impact their operations.
In a draft letter to be sent to CAs, Wilson said Mozilla has begun discussions on updating "Phase 2" components of its certificate policy.
"The current discussions are focused on RAs (Registration Authorities) and Subordinate CAs," Wilson wrote in the letter.
"We recommend that you monitor and contribute to these discussions so that you are aware of how the potential changes to the Mozilla CA Certificate Policy may impact you."
She said that from 30 June this year, Mozilla software will refuse certificates signed with the troubled MD5 hash algorithm for intermediate and end-entity CAs, and "will take this action earlier and at its sole discretion if necessary to keep our users safe".
In late 2008, security researchers had already exploited weaknesses in the MD5 algorithm to forge fake certificates.
But the news grated with some of the users commenting on the forum. They claimed to have been left out of the decision-making process.
"I'm sorry, I must have missed something. When was this discussed? When was this aired in this forum?" wrote one user.
"Where I am still concerned is with the Mozilla intention. You've obviously thought about this for two years. Some of us haven't. A problem with closed groups is that those who are in them are comfortable with the way the direction is going, those who are out are not," another user said.
Wilson said that the company will discuss the requirements before adding changes to the Mozilla CA Certificate Policy.
The review comes amid breaches of an RA linked to CA Comodo in which several certificates were stolen in a high-profile attack.