Some in the Mozilla community think trust in Trustwave's root certificate should be revoked
(WEB HOST INDUSTRY REVIEW) — Digital certificate authority Trustwave admitted via a blog post on Saturday that it issued a SSL certificate to a private company to spy on SSL-protected connections within its corporate network.
“It has been common practice for Trusted CAs to issue subordinate roots for enterprises for the purpose of transparently managing encrypted traffic. In the past, Trustwave, like many of our peers in the industry, has enabled organizations to perform this activity. Due to events of the past year, Trustwave has decided to revoke all subordinate roots issued for this purpose,” Trustwave said in its policy change on its website at the end of January.
According to a post on Bugzilla by Trustwave vice president of managed identity and SSL Brian Trzupek, the single subordinate root system was issued to an enterprise customer for use on their internal network and had the CA private key stored in a non-exportable or recoverable mode. The single certificate was to be used within a data loss prevention system.
It generated the private keys for the cloned end entity certificates within the hardware security module, Trzupek says, and they were never available to system administrators of the dedicated hardware device.
“No party had access to the re-signed SSL certificate private keys at any time, nor could they gain access to them,” according to a blog post on Spider Labs. “This is what prevented the customer from being able to perform ad hoc issuance of certificate for any domain and use them outside of this hardware and infrastructure.”
While Trustwave says it will no longer enable systems of this type, it has said the issuing of subordinate roots to private companies to inspect SSL-encrypted traffic in their networks is a common practice in the industry, according to a post by PCWorld.
This move has caused some in the Mozilla community to suggest Trustwave’s root certificate be removed from Firefox.
Mozilla’s CA Certificate Policy states that it reserves the right to not include a CA certificate in its software products including cases where including a CA certificate would “cause undue risks to users” for example, CAs that “knowingly issue certificates without the knowledge of the entities whose information is referenced in the certificates.”
In December 2011, Trzupek talked about Trustwave’s two-factor authentication solution, Trustwave MyIdentity, in an interview with the WHIR.
About Nicole Henderson
Nicole Henderson writes full-time for the Web Host Industry Review where she covers daily news and features online, as well as in print. She has a bachelor of journalism from Ryerson University in Toronto, and has been writing for the WHIR since September 2010. You can find her on Twitter @NicoleHenderson.
No related posts.
