[cryptography] if MitM via sub-CA is going on, need a name-and-shame catalog (Re: really sub-CAs for MitM deep packet inspectors?)

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sat Dec 3 04:30:17 EST 2011

ianG <iang at iang.org> writes:

>Wifebeating syndrome :)  I was aware of the claim of MITMing, but nobody
>offered proof and it sort of faded away under the cover of NDAs.

You do need to distinguish between CAs issuing sub-CA certs (not for MITM but
for businesses who need them) and DPI MITM certs.  It's the sub-CA certs that
have been around for a decade or more, the MITM certs are a lot newer, and I'm
not sure that the CAs know if, or that, they're being used for this.  For
example a legitimate reason for having a sub-CA is that you want to secure
your servers but don't want to reveal to a third party your entire internal
corporate infrastructure.  So you buy a sub-CA cert and issue your own
internal-use-only certs off it, and you don't have to tell anyone what you're
doing.  Or you may need 10,000 different certs a year every year and it's not
possible to do that via an interface designed for one cert at a time, so you
need to run your own CA to handle the volume and diversity.  A variation of
this is that you act as an RA for the public CA, so you forward gimme-a-cert
requests on to the public CA with the understanding that you've checked that
they're legit.  That Comodo reseller that got compromised seems to have been
one of these, except that they sold to the public rather than being for
corporate-internal-use only.

There's a million reasons why you'd need to do this sort of thing, and most of
them are legitimate business needs, so it's not as if this is some arbitrary
ill-considered decision, it meets a legitimate need.  The problem is caused
(again) by the browser PKI model, if you don't have your cert chaining to one
of a small set of browser-vendor-blessed CAs then you've DoSed your own
servers/sites/whatever, however you may not be in a position to buy certs from
public CAs, so the solution is to buy the CA capabilities that allow you to
deal with this yourself.

Following conventional PKI thinking, should you misbehave (certs for
google.com suddenly turn up issued by your sub-CA) then your sub-CA cert gets
revoked, you lose your 5-6 digit license fee, and possibly the CA gets to beat
you over the head with lawyers.  So there's really no problem.

Oh, except for the fact that revocation doesn't work and in any case no-one
checks to see what you're up to.  But on paper everything's OK.


More information about the cryptography mailing list