[cryptography] really sub-CAs for MitM deep packet inspectors? (Re: Auditable CAs)

Peter Gutmann pgut001 at cs.auckland.ac.nz
Fri Dec 2 00:38:24 EST 2011


Marsh Ray <marsh at extendedsubset.com> writes:

> Certificate Authority (CA) to Chain to GeoTrust's Ubiquitous Public
> Root
>
>[...]
>
> SAN FRANCISCO, RSA CONFERENCE, Feb. 14

February of which year?  If it's from this year then they're really late to
the party, commercial CAs have been doing this for more than a decade.  These
things are huge money-earners for them, they start at around $50K per sub-CA
cert and go from there, and because you have to do this to turn off the
browser warnings, large numbers of companies do it.  I don't know about actual
figures, but from stories I've heard it wouldn't surprise me if many CAs made
the majority of their income from selling padlocks [0] to companies rather
than selling them to web sites.

Or is GeoRoot some novel new thing that I'm not familiar with?

Peter.

[0] By "selling padlocks" I mean you give them money and people who come to
    your site get to see a padlock picture.



More information about the cryptography mailing list