[cryptography] really sub-CAs for MitM deep packet inspectors? (Re: Auditable CAs)

Marsh Ray marsh at extendedsubset.com
Thu Dec 1 11:56:17 EST 2011

On 11/30/2011 06:44 PM, Adam Back wrote:
> Are there really any CAs which issue sub-CA for "deep packet
> inspection" aka doing MitM and issue certs on the fly for everything
> going through them: gmail, hotmail, online banking etc.

> http://www.prnewswire.com/news-releases/geotrust-launches-georoot-allows-organizations-with-their-own-certificate-authority-ca-to-chain-to-geotrusts-ubiquitous-public-root-54048807.html
GeoTrust Launches GeoRoot; Allows Organizations with Their Own
> Certificate Authority (CA) to Chain to GeoTrust's Ubiquitous Public
> Root> GeoTrust Launches GeoRoot; Allows Organizations with Their Own
> Certificate Authority (CA) to Chain to GeoTrust's Ubiquitous Public
> Root
> Economical Solution Complements Capabilities of Internal CAs, such as
> the Microsoft Certificate Authority, Allowing Public Recognition of
> SSL and Client Certificates
> SAN FRANCISCO, RSA CONFERENCE, Feb. 14 /PRNewswire/ -- GeoTrust,
> Inc., a leader in identity verification solutions for e-business and
>  the world's second largest issuer of SSL (secure sockets layer)
> certificates for web security, today announced the availability of
> GeoRoot(TM), an enterprise solution that allows organizations to
> chain their internally issued digital certificates to GeoTrust's
> publicly recognized roots. GeoRoot allows organizations with their
> own Public Key Infrastructure (PKI) to extend the use of SSL server
> and client certificates by leveraging a highly ubiquitous GeoTrust
> root, supported by over 99% of browsers. "Today, many large
> organizations utilize Microsoft's free Certificate Authority to
> create digital certificates for securing their servers, email and
> employee remote access," stated Neal Creighton, CEO of GeoTrust.
> "However, these 'self-signed' certificates are only recognized within
> the issuing organization or other allied organizations that have
> chosen to share trust. By chaining to our widely supported public
> root, these organizations can easily enable trusted e-business
> transactions outside of their organizations." "Server-based digital
> certificates for SSL have become increasingly important to
> organizations because they provide enhanced security," stated Vic
> Wheatman, Managing Vice President, Gartner, Inc. "However, we
> recognize that some organizations need to extend acceptance of their
> own certificates beyond their enterprise. By chaining their
> certificates to a widely recognized root, organizations can elevate
> trust levels and SSL functionality while using their own internal PKI
> system." GeoRoot is designed to complement the existing capabilities
> of an in-house Certificate Authority, allowing organizations to
> maintain full control over Registration Authority (RA) functions for
> the issuance of SSL server certificates and client certificates
> (x.509). By chaining to GeoTrust's public root, certificates gain
> compatibility with virtually all browsers and digital certificate and
> public key security applications, including commerce sites, intranet,
> extranet, S/MIME and VPN hardware and clients. This ubiquitous
> recognition allows certificates, whether for electronic documents,
> secure email or other transactions, to be trusted globally.
> Certificate lifecycle management is a key feature of GeoRoot,
> allowing organizations to easily issue, renew and revoke
> certificates. Other functions, such as authenticating individuals,
> deploying and managing SSL server certificates and client
> certificates, as well as managing the distribution of public keys to
>  appropriate parties, are all handled by the organization. GeoRoot
> also allows an enterprise to maintain its own brand identity when
> issuing certificates, an attractive feature for certain applications
>  such as email certificates. In addition to GeoRoot, GeoTrust offers
> a full line of digital certificates for identity verification,
> including client certificates for secure access, SSL certificates for
> e-commerce and web services security, code signing certificates for
> software developers and the recently announced certified signing
> solution for Adobe(R) Acrobat(R). Its customers include the world's
> largest hosting companies, Global 1000 companies, educational
> institutions and government agencies worldwide.
> Pricing and Availability GeoRoot is available today in several
> configurations, with annual licenses to meet the needs of low volume
>  to high volume users. GeoRoot is only available for internal use,
> and organizations must meet certain eligibility requirements,
> including financial net worth, insurance minimums, policy,
> implementation and compliance guidelines, and hardware security
> specifications. Complete details are available from GeoTrust sales
> at 866-511- 4141 or sales at geotrust.com.
> About GeoTrust, Inc. GeoTrust is a leader in identity verification
> and trust services for e- business. Its products include web security
> services for secure e-commerce transactions, identity verification
> services for secure access, digital signing and consumer
> verification, managed security services and TrustWatch, a free
> toolbar and search site that helps consumers recognize whether a site
> has been verified and is safe for the exchange of confidential
> information (http://www.trustwatch.com). With more than 80,000
> companies in over 150 countries using its technology for online
> security, GeoTrust has rapidly become the second largest digital
> certificate provider in the world. Visit http://www.geotrust.com or
> call 781-292-4100 for more information GeoTrust is a registered
> trademark and GeoRoot is a trademark of GeoTrust, Inc. All other
> product names are trademarks or registered trademarks of their
> respective owners.
> Media Contacts: Joan Lockhart                      Bill Keeler or
> Jennifer Roedel GeoTrust, Inc.                     Schwartz
> Communications 781-292-4153                       781-684-0770
> joanl at geotrust.com                 geotrust at schwartz-pr.com
> SOURCE  GeoTrust, Inc.

The existence of this product has been largely removed from GeoTrust's 
English-language site (Moxie pointed it out at BlackHat) It's still 
being promoted in other languages, however.

> About 212 results
> 1. GeoRoot – Nehmen Sie Ihre Zertifizierung selbst in die Hand, SSL
> ... Durch GeoTrust® GeoRoot erhalten Unternehmen vollständige
> Kontrolle über Registrierungsstellenfunktionen bei der Ausstellung
> von SSL-Serverzertifikaten ...
> www.geotrust.com/de/enterprise.../georo... - Cached - Similar 2.
> GeoRoot – Conviértase en Autoridad de certificación, certificados
> ... Más información sobre GeoRoot, producto Enterprise SSL que
> permite a su empresa convertirse en su propia autoridad de
> certificación - un modo económico ...
> www.geotrust.com/es/enterprise-ssl.../georoot... - Cached - Similar
> 3. GeoRoot – Devenez une autorité de certification, certificats SSL
> ... Pour en savoir plus sur GeoRoot, le produit Enterprise SSL qui
> permet à votre entreprise de devenir sa propre autorité de
> certification. Il s'agit là d'un moyen ...
> www.geotrust.com/fr/enterprise-ssl.../georo... - Cached - Similar 4.
> SSL Certificates, Document Security, Enterprise SSL from a Leading
> ... SSL for the Enterprise · Enterprise SSL Save time and money on
> volume SSL purchases. GeoRoot Become Your Own Certificate Authority.
> ... www.geotrust.com/products/index.html?pageid=10220000000 -
> Similar 5. Email GeoTrust Customer Support - GeoTrust ... Certified
> Document Solutions, Code Signing, My Credential, Microsoft Windows
> Marketplace Developers, High Volume Solutions (Enterprise), GeoRoot
> ... www.geotrust.com/about/contact/support-form/ - Cached - Similar
> 6. SSL Certificates from a Leading SSL Certificate Authority -
> GeoTrust Signing Products · Certified Document Solutions · Code
> Signing · My Credential/ EPM Credential · SSL for the Enterprise ·
> Enterprise SSL · GeoRoot · Solutions ... smarticon.geotrust.com/ -
> Cached - Similar 7. What Out for Phishing Scam on Tumblr | GeoTrust
> Blog Jun 29, 2011... Quick SSL Premium Certificates, and VeriSign
> Certified Document Solutions, My Credential Certificates, Enterprise
> SSL, and GeoRoot.
> blogs.geotrust.com/2011/06/what-out-for-phishing-scam-on-tumblr/ -
> Cached - Similar 8. May the 4th be with you! | GeoTrust Blog May 4,
> 2011... Quick SSL Premium Certificates, and VeriSign Certified
> Document Solutions, My Credential Certificates, Enterprise SSL, and
> GeoRoot. blogs.geotrust.com/2011/05/may-the-4th-be-with-you/ - Cached
> - Similar 9. January | 2011 | GeoTrust Blog Jan 28, 2011... Quick SSL
> Premium Certificates, and VeriSign Certified Document Solutions, My
> Credential Certificates, Enterprise SSL, and GeoRoot.
> blogs.geotrust.com/2011/01/ - Cached - Similar 10. Fraud | GeoTrust
> Blog Mar 12, 2011... Quick SSL Premium Certificates, and VeriSign
> Certified Document Solutions, My Credential Certificates, Enterprise
> SSL, and GeoRoot. blogs.geotrust.com/category/fraud/ - Cached -
> Similar
> Sponsored Links
> 1. GeoTrust SSL Certificates Affordable SSL immediately issued
> trusted by 99% of browsers. Buy SSL Certificates - 30-Day Free SSL
> Certificate Trial - Compare SSL Certificates www.geotrust.com

> http://translate.google.com/translate?hl=en&ie=UTF8&prev=_t&sl=auto&tl=en&u=http://www.geotrust.com/fr/enterprise-ssl-certificates/georoot/

 > Become your own Certificate Authority
> GeoTrust® GeoRoot permet aux entreprises de garder une maîtrise
> totale des fonctions de l'autorité d'enregistrement (AE) pour
> l'émission de certificats SSL serveur et de certificats client
> (x.509). GeoTrust ® GeoRoot allows companies to keep total control
> functions of the Registration Authority (RA) to issue SSL
> certificates server and client certificates (x.509). Avec des
> certificats privés, les organisations renforcent leur réputation en
> termes de transactions sécurisées et fiables. Certificates with
> private organizations to strengthen their reputation for secure
> transactions and reliable. Des forfaits annuels fixes bon marché et
> des licences rentables facilitent l'optimisation des budgets
> informatiques et abaissent le coût total de possession. Fixed annual
> packages cheap and easy licensing cost optimization of IT budgets and
> lower the total cost of ownership.
> Contactez le service commercial ou appelez le +44 203 0240907.
> Contact sales or call +44 203 0240907. Reconnaissance globale des
> certificats auto-signés Global recognition of self-signed
> certificates
> Les certificats GeoTrust sont reconnus par 99 % des navigateurs Web
> et par la plupart des appareils mobiles populaires. GeoTrust
> certificates are recognized by 99% of Web browsers and most popular
> mobile devices. Ils sont compatibles avec la majorité des certificats
> numériques et applications de sécurité à clé publique. They are
> compatible with most digital certificates and security applications
> to public key. La reconnaissance universelle des certificats signés
> GeoRoot permet aux entreprises de s'assurer que les certificats
> numériques liés à la racine GeoTrust sont dignes de confiance dans le
> monde entier. The universal recognition of certificates signed
> GeoRoot allows companies to ensure that digital certificates
> associated with the GeoTrust root are trusted worldwide. Gestion et
> contrôle du cycle de vie des certificats Management and control of
> the life cycle of certificates
> Les entreprises utilisent GeoRoot pour leurs applications internes
> personnalisées et pour un échange en toute sécurité des données entre
> les différents partenaires. Companies use GeoRoot for their internal
> applications and customized for a secure exchange of data between the
> different partners. L'entreprise conserve une maîtrise totale sur
> l'authentification des individus, le déploiement et la gestion des
> certificats SSL serveur et client ainsi que la gestion de la
> distribution des clés publiques aux parties concernées, en offrant
> une souplesse maximale pour sécuriser les applications
> professionnelles à l'échelle de l'entreprise. The company maintains
> complete control over the authentication of individuals, deploying
> and managing SSL server and client and the management of public key
> distribution to interested parties, offering maximum flexibility for
> secure business applications across the enterprise. Intégration
> transparente Seamless integration
> GeoRoot fonctionne en toute transparence avec Microsoft Active
> Directory et Certificate Server pour l'authentification et l'émission
> de certificats signés GeoTrust. GeoRoot works seamlessly with
> Microsoft Active Directory and Certificate Server for authentication
> and issuing certificates signed by GeoTrust. Dans la plupart des cas,
> une fois un certificat généré par MS Certificate Server et signé dans
> GeoRoot, les informations sur ce certificat sont acheminées
> automatiquement dans Active Directory. In most cases, once a
> certificate generated by MS Certificate Server and signed in GeoRoot,
> information on the certificate are sent automatically to Active
> Directory. Critères d'admissibilité GeoRoot Eligibility GeoRoot
> Pour acheter GeoRoot, vous devez satisfaire au moins aux critères
> suivants : GeoRoot to buy, you must meet at least the following
> criteria:
> * Valeur nette de 5 M de $ minimum Net worth of $ 5 million minimum *
> 5 M de $ minimum pour la garantie Erreurs et omissions Minimum of $ 5
> million guarantee for Errors and Omissions * Statuts (ou équivalent)
> et attestation de fonction fournis Statutes (or equivalent) and
> attestation function provided * Déclaration de pratique de certificat
> écrite et à jour Certificate Practice Statement as written and
> updated * Appareil conforme à FIPS 140-2 de niveau 2 (GeoTrust a
> établi un partenariat avec SafeNet, Inc.) pour la génération et le
> stockage de vos clés de certificats racine Apparatus in accordance
> with FIPS 140-2 Level 2 (GeoTrust has partnered with SafeNet, Inc.).
> For generating and storing keys Root Certificates * Produit AC agréé
> de Baltimore/Betrusted, Entrust, Microsoft, Netscape ou RSA Product
> AC approved the Baltimore / Betrusted, Entrust, Microsoft, Netscape
> or RSA
> Instructions client GeoRoot Instructions customer GeoRoot
> * GeoTrust doit analyser et approuver les profils de certificat pour
> les certificats racine et d'entité finale de l'organisation avant de
> pouvoir émettre les certificats. GeoTrust must review and approve the
> certificate profiles for root certificates and end entity of the
> organization before they can issue certificates. * Les organisations
> doivent tenir à jour une liste Certificate Revocation List (CRL) pour
> tous les certificats émis de l'entreprise. Organizations must
> maintain a list Certificate Revocation List (CRL) for all
> certificates issued by the company. * GeoTrust peut demander une
> déclaration de conformité ou réaliser un audit. GeoTrust may request
> a statement of compliance or an audit.
> Instructions pour les certificats SSL serveur GeoRoot Instructions
> for SSL server certificates GeoRoot
> * Les certificats SSL peuvent être émis pour une ou plusieurs années
> SSL certificates can be issued for one or more years * Tous les
> domaines doivent être détenus par le client de l'entreprise All
> fields must be held by the client company * Les certificats peuvent
> être installés sur autant de serveurs que nécessaire Certificates can
> be installed on as many servers as needed * Les certificats SSL
> doivent inclure le groupe standard d'extensions X.509 SSL
> certificates must include the standard set of X.509 extensions
> Instructions pour les certificats client GeoRoot Instructions for
> client certificates GeoRoot
> * Les certificats client peuvent être émis pour une ou plusieurs
> années Client certificates can be issued for one or more years * Les
> organisations peuvent émettre des certificats uniquement aux employés
> et aux domaines qu'elles contrôlent Organizations can issue
> certificates only to employees and areas under their control * Les
> entreprises ne peuvent pas revendre ni livrer à des utilisateurs non
> affiliés Companies can not sell or deliver to users not affiliated *
> Les certificats doivent inclure le groupe standard d'extensions X.509
> Certificates must include the group standard X.509 extensions
> Module de sécurité matériel SafeNet Luna SafeNet hardware security
> module Luna
> Les produits SafeNet Luna® permettent une véritable gestion des clés
> matérielles afin de préserver l'intégrité des clés de cryptage.
> SafeNet Luna ® products provide a true hardware key management to
> preserve the integrity of encryption keys. Les clés sensibles sont
> créées, stockées et utilisées exclusivement au sein des fonctions
> sécurisées du module de sécurité matériel Luna pour éviter tout
> compromis. Sensitive keys are created, stored and used exclusively
> within the security features of the Luna hardware security module to
> prevent compromise. Les produits SafeNet Luna ont été intégrés aux
> solutions GeoTrust et répondent en tous points aux exigences GeoRoot
> pour un appareil conforme à FIPS 140-2 de niveau 2. SafeNet Luna
> products have been integrated with GeoTrust solutions and meet all of
> the requirements for a GeoRoot apparatus according to FIPS 140-2
> Level 2.

> Produits
>     * Certificats SSL
>     * Produits de signature
>     * SSL pour l'entreprise
> Accueil > Produits
> Produits
> Plus de 100 000 clients dans plus de 150 pays font confiance à GeoTrust pour sécuriser les transactions en ligne et faire des affaires sur Internet.
> SSL CertificatesComparer tous
>     * True BusinessID with EV Dynamisez les transactions en ligne grâce à la barre d'adresse verte.
>       Extended Validation SSL
>     * True BusinessID Protection fiable chez soi, au travail ou en déplacement.
>     * QuickSSL® Premium Sécurisez votre site pour les navigateurs de bureau et les navigateurs de téléphone portable..
>     * True BusinessID Multi-Domain Sécurisez jusqu'à 25 domaines sur un seul serveur.
>     * True BusinessID Wildcard Sécuriser un nombre illimité de sous-domaines avec un seul certificat.
> Signing Products
>     * VeriSign® Certified Document Solutions
>     * Code Signing
>     * My Credential Signer et crypter numériquement le courrier électronique.
> SSL for the Enterprise
>     * Enterprise SSL Épargner du temps et de l'argent avec des achats SSL en gros.
>     * GeoRoot Devenez votre propre autorité de certification.

More information about the cryptography mailing list