14 DAY TRIAL // Mozilla will remove the trust in a root certificate authority (CA) from Turkey, and as a consequence, all certificates it signed will become invalid in Firefox web browser when users try to access them.
The result will be a validation error, which generally signals that an attacker tries to impersonate a legitimate domain by using a fake certificate.
A digital certificate is an important component for validating the secure connection between a client and a server. It is issued by a trusted organization called root CA that has to comply with certain policies and regulations in order to prove that the chain of trust it creates cannot be broken.
Mozilla requires annual audit statements from CAs
Starting with Firefox 38, which is currently in beta stage in its development process, Mozilla will remove the CA owned by e-Guven Elektronik Bilgi Guvenligi A.S.
The move is not the result of a compromise of the organization or the certificates it signs, but the company’s failure to meet Mozilla’s requirements regarding audit statements.
“When a CA certificate is trusted for verifying certificates for SSL/TLS servers, Mozilla’s CA Certificate Inclusion Policy requires CAs to annually provide public-facing attestation from an independent party,” informs a blog post from Kathleen Wilson from Mozilla Security Team.
Last audit is old and nonconforming
In the case of e-Guven, the latest audit statement Mozilla has is from October 2013 and it was held by ICTA (Information and Communication Technology Agency) without meeting one of following two criteria requested by the developer:
1. Clause 7, “Requirements on CA practice,” in ETSI TS 102 042 V2.3.1 or later version, Policy requirements for certification authorities issuing public key certificates. 2. WebTrust “Principles and Criteria for Certification Authorities 2.0” or later and “SSL Baseline Requirements Audit Criteria V1.1” (as applicable to SSL certificate issuance) in WebTrust Program for Certification Authorities.
As a result of this deviation from Mozilla’s CA Certificate Inclusion Policy, a course of action was discussed and the conclusion reached was to remove the root certificates issued by e-Guven due to inadequate audit statements.