[cryptography] really sub-CAs for MitM deep packet inspectors? (Re: Auditable CAs)

ianG iang at iang.org
Wed Nov 30 23:03:57 EST 2011


On 1/12/11 11:50 AM, Nathan Loofbourrow wrote:
> On Wed, Nov 30, 2011 at 4:47 PM, Rose, Greg <ggr at qualcomm.com 
> <mailto:ggr at qualcomm.com>> wrote:
>
>     On 2011 Nov 30, at 16:44 , Adam Back wrote:
>
>     > Are there really any CAs which issue sub-CA for "deep packet
>     inspection" aka
>     > doing MitM and issue certs on the fly for everything going
>     through them:
>     > gmail, hotmail, online banking etc.
>
>     Yes, there are. I encountered one in a hotel at Charles de Gaulle
>     airport a few weeks ago.
>
>
> Yup. Boingo does this. Also, many employers.
>

Do these sub-CAs do MITMs on the certs from other CAs?

Is this in anyway a cause for action in contract?  Is this a caused for 
revocation?

If a CA is issuing sub-CAs for the purpose of MITMing, is this a reason 
to reset the entire CA?  Or is it ok to do MITMing under certain nice 
circumstances?

iang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20111201/59df79d8/attachment.html>


More information about the cryptography mailing list