Trustwave defended itself by saying that the issuing of subordinate roots to private companies, so they can inspect the SSL-encrypted traffic that passes through their networks, is a common practice in the industry. However, the CA decided to stop issuing such certificates in the future and revoke the existent ones.
"I would say that Trustwave should be commended for making this statement public, knowing that this could result in reputational damage," said Calum MacLeod, director for the EMEA region at Venafi, a company that sells certificate and digital key management products. "I believe it is commendable that they will no longer continue this practice, but the reality is in my opinion that this is a common industry practice."
Trustwave might have taken significant steps to ensure that its subordinate root will not be abused, but this is not necessarily true for all cases where companies make use of this technique.
"In the vast majority of enterprises today, there is little or no control over the security and management of private keys," MacLeod said. "In most cases, the private keys are not being protected, and system administrators are handling keys manually."
MacLeod pointed out that just because Trustwave did not issue a subordinate root certificate to a government, an ISP or a law enforcement agency, does not mean that other CAs haven't done so. "Maybe it's time websites carried the same message as the telephone service; 'this session may be recorded!'," he said.
According to Amichai Shulman, chief technology officer and co-founder of security firm Imperva, there are other techniques that companies can use to snoop on SSL-encrypted traffic within their networks, and they don't require the use of such broad certificates.
"The fact that CA services are willing to issue 'weak CA' certificates to practically anyone is outrageous," Shulman said. "Not only that the effect of a compromise of such a certificates is devastating but the chances for it happening are not negligible."