[cryptography] really sub-CAs for MitM deep packet inspectors? (Re: Auditable CAs)

Florian Weimer fweimer at bfk.de
Tue Dec 6 05:52:43 EST 2011

* Adam Back:

> Are there really any CAs which issue sub-CA for "deep packet inspection" aka
> doing MitM and issue certs on the fly for everything going through them:
> gmail, hotmail, online banking etc.

Such CAs do exist, but to my knowledge, they are enterprise-internal CAs
which are installed on corporate devices, presumably along with other
security software.  Even from a vendor point of view, this additional
installation step is desirable because it fits well with a per-client
licensing scheme, so I'm not sure what the benefit would be to get a
certificate leading to one of the public roots.

Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

More information about the cryptography mailing list