[cryptography] really sub-CAs for MitM deep packet inspectors? (Re: Auditable CAs)

Jon Callas jon at callas.org
Tue Dec 6 09:46:06 EST 2011

On 6 Dec, 2011, at 3:43 AM, ianG wrote:

> The promise of PKI in secure browsing is that it addresses the MITM.  That's it, in a nutshell.  If that promise is not true, then we might as well use something else.

Is it?

I thought that the purpose of a certificate was to authenticate the server to the client. This is a small, but important difference. If you properly authenticate the server, then (one hopes) that we've tacitly eliminated both an impersonation attack and a MiTM (an MiTM is merely a real-time, two-way impersonation).

The problem is that we're authenticating the server by naming, and there are many entities with a reason to lie about names. There are legitimate and illegitimate reasons to lie about names, and while we know that it's going on, we don't have a characterization of what reality even *is*.

We're seeing this in this very discussion. I also want to see proof that this is going on. I know it is, but I want to see it. These bogus certs are a lot like dark matter -- we know they're there, but we have little direct observation of them.


More information about the cryptography mailing list