Mozilla has updated its Certificate Authority (CA) Certificate Policy to lessen the risk of hackers getting their hands on subordinate CA certificates.
Subordinate CA certificates are granted the same power as the CA, and they can be used to issue valid SSL certificates.
Until now, subordinate CA certificates have not been subjected to the same scrutiny and controls as root CA certificates.
The policy is being changed to reflect Mozilla's "belief that each root is ultimately accountable for every certificate it signs, directly or through its subordinates."
Subordinate CA certificates issued after May 15, 2013 must comply with Mozilla's new policy; existing certificates have until May 15, 2014 to be updated to comply with the policy