Mozilla has given all SSL certificate authorities (CA) until April 27 to destroy any subordinate CA certificates used to intercept traffic on a private network or face expulsion from its root certificate program.
The organisation's sunset follows an admission this month by security vendor Trustwave that it issued a single certificate to support a data loss prevention (DLP) system used in an audit of a customer's physical security, network security and security policies.
Despite Truswave's intentions, issuing a subordinate root certificate to a third-party would enable the recipient to issue unlimited SSL certificates for any domain, jeopardizing the integrity of the web's already shaky trust model.
Mozilla sent an email to all CAs last Friday demanding that by March 2 each authority comes clean about how they currently use subordinate certificates, including whether they are used to conduct intercept private network traffic.
CA's have until April 27 to destroy any certificates used for these purposes or face termination from Mozilla's root certificate program.
"We have requested that any such certificates be revoked, and their HSMs (Hardware Security Models) destroyed," said Firefox Engineering senior director Johnathan Nightingale.
"We have requested the serial numbers of those certificates and fingerprints of their signing roots so that we, and other relying parties, can detect and distrust these subCA certificates if encountered. We have requested that any CAs who have issued subCA certificates fulfill these requests no later than April 27, 2012."
"Participation in Mozilla’s root program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe, up to and including the removal of root certificates that mis-issue, as well as any roots that cross-sign them."
Trustwave escaped being banished from Mozilla's program after clarifying that it only ever issued one such subordinate certificate and that it would stop the practice.
However, Mozilla's patch indicates it has distrusted two Trustwave skeleton certificates.