[cryptography] if MitM via sub-CA is going on, need a name-and-shame catalog (Re: really sub-CAs for MitM deep packet inspectors?)

ianG iang at iang.org
Sat Dec 3 10:34:35 EST 2011

>> Wifebeating syndrome :)  I was aware of the claim of MITMing, but nobody
>> offered proof and it sort of faded away under the cover of NDAs.

Just on that above: Back in 2005, 2006 or so when the Mozilla policy was 
being written, allegations surfaced that two CAs were practicing MITMing 
as a business model.  From what I recall of the discussion, the business 
model as suggested bears an uncanny resemblance to DPI, 'cepting the 
data was on-sold.

Surprise surprise, the audit criteria of the time did not exclude this, 
and as long as you declared it in your CPS, you were on the safe but 
dirty side of some line somewhere.  However, no proof was forthcoming, 
and the offensive security-by-NDA trick worked again, with a nod to Dan.

On 3/12/11 20:30 PM, Peter Gutmann wrote:
>> You do need to distinguish between CAs issuing sub-CA certs (not for MITM but
>> for businesses who need them) and DPI MITM certs.  It's the sub-CA certs that
>> have been around for a decade or more, the MITM certs are a lot newer, and I'm
>> not sure that the CAs know if, or that, they're being used for this.

Ah ok, yes.  The issue of sub-CAs and external RAs has been widely 
discussed in Mozilla's public forum.

> For
> example a legitimate reason for having a sub-CA is that you want to secure
> your servers but don't want to reveal to a third party your entire internal
> corporate infrastructure.  So you buy a sub-CA cert and issue your own
> internal-use-only certs off it, and you don't have to tell anyone what you're
> doing.  Or you may need 10,000 different certs a year every year and it's not
> possible to do that via an interface designed for one cert at a time, so you
> need to run your own CA to handle the volume and diversity.  A variation of
> this is that you act as an RA for the public CA, so you forward gimme-a-cert
> requests on to the public CA with the understanding that you've checked that
> they're legit.  That Comodo reseller that got compromised seems to have been
> one of these, except that they sold to the public rather than being for
> corporate-internal-use only.
> There's a million reasons why you'd need to do this sort of thing, and most of
> them are legitimate business needs, so it's not as if this is some arbitrary
> ill-considered decision, it meets a legitimate need.  The problem is caused
> (again) by the browser PKI model, if you don't have your cert chaining to one
> of a small set of browser-vendor-blessed CAs then you've DoSed your own
> servers/sites/whatever, however you may not be in a position to buy certs from
> public CAs, so the solution is to buy the CA capabilities that allow you to
> deal with this yourself.
> Following conventional PKI thinking, should you misbehave (certs for
> google.com suddenly turn up issued by your sub-CA) then your sub-CA cert gets
> revoked, you lose your 5-6 digit license fee, and possibly the CA gets to beat
> you over the head with lawyers.  So there's really no problem.
> Oh, except for the fact that revocation doesn't work and in any case no-one
> checks to see what you're up to.  But on paper everything's OK.

As I understand it at the moment, the new Baseline Requirements has 
established the firm rule that whatever is done with these things, the 
CA is fully responsible and the Auditor rules over the entire hierarchy 
[0].  (I for one am mollified.  Others remain less so.)  So I'd rewrite 
the above last part to say, and your CA gets dropped from the root list 
of major vendors.

What is the earliest sighting of a DPI-inspired MITM cert?


PS; we need a better name than DPI MITM.  For some reason I'm thinking 
of WITM.

More information about the cryptography mailing list