TURKTRUST Unauthorized CA Certificates
Although unrelated to Entrust, I thought you might be interested in the news about TURKTRUST.
It has been reported that the TURKTRUST certification authority (CA) inadvertently issued two intermediate CA certificates in August 2011. The certificates were issued in error due to test code being moved into production. The certificates issued were for “*.EGO.GOV.TR” and “e-islem.kktcmerkezbankasi.org.”
According to TURKTRUST, on December 6, 2012, the “*.EGO.GOV.TR” intermediate CA certificate was moved to a Check Point firewall, which was configured for inspection. In this mode, the Check Point firewall automatically generates certificates for all SSL connections. In this case, it issued a “*.google.com” certificate. TURKTRUST stated that the certificate was not issued for dishonest purposes.
It is not acceptable, but mistakes do happen. In this case, the mistake was again detected by Chrome’s public key pinning, which indicated that a fraudulent Google certificate had been issued.
What else can be done? Here are some ideas:
Limit CA Functionality – If a CA is not supposed to issue CA certificates, then disable this functionality. If the CA is only supposed to issue SSL certificates, then disable the functionality for Code Signing and S/MIME. Limited functionality will limit the risk.
Automated Certificate Inspection – All certificates that have been issued should be inspected to meet certain criteria. All issued certificates could be inspected for minimum key size, signing algorithm, CRL CDP, OCSP AIA and basic constraints criteria. If the basic constraints indicates “Subject,” then an investigation should be performed to ensure that the CA certificate issuance was authorized.
Audit – Both internal and external audits could be performed to manually inspect issued certificates. If a CA certificates is found, then an investigation should be performed to ensure it was authorized.
Certificate Transparency – We can help domain owners check for fraudulent website certificate issuance. This could be done with the further development and deployment of Certificate Transparency (CT). CT will make it possible for domain owners to inspect logs to see if any certificates were issued for one of their domains.
Updated January 7, 2013: TURKTRUST has provided an announcement and technical details.