[cryptography] really sub-CAs for MitM deep packet inspectors? (Re: Auditable CAs)
iang at iang.org
Wed Nov 30 23:03:57 EST 2011
On 1/12/11 11:50 AM, Nathan Loofbourrow wrote:
> On Wed, Nov 30, 2011 at 4:47 PM, Rose, Greg <ggr at qualcomm.com
> <mailto:ggr at qualcomm.com>> wrote:
> On 2011 Nov 30, at 16:44 , Adam Back wrote:
> > Are there really any CAs which issue sub-CA for "deep packet
> inspection" aka
> > doing MitM and issue certs on the fly for everything going
> through them:
> > gmail, hotmail, online banking etc.
> Yes, there are. I encountered one in a hotel at Charles de Gaulle
> airport a few weeks ago.
> Yup. Boingo does this. Also, many employers.
Do these sub-CAs do MITMs on the certs from other CAs?
Is this in anyway a cause for action in contract? Is this a caused for
If a CA is issuing sub-CAs for the purpose of MITMing, is this a reason
to reset the entire CA? Or is it ok to do MITMing under certain nice
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cryptography