[cryptography] current limits of proving MITM (Re: Gmail and SSL)

James A. Donald jamesd at echeque.com
Sun Dec 16 18:05:01 EST 2012


On 2012-12-16 7:48 PM, ianG wrote:
> Just to nitpick on this point, a CA certainly can claim that they or 
> an agent did not sign a certificate.  And, they can provide the 
> evidence, and should have the ability to do this:  CAs internally have 
> logs as to what they did or did not sign, and this is part of their 
> internal process.

Let us compare with the financial crisis.  Banks had internal procedures 
and paperwork that supposedly showed that their loans were justified.  
After 2005 everyone knew the truth, though saying it out loud in plain 
words was and is politically incorrect.

Yet despite billion dollar lawsuits to extract that paperwork from the 
banks, we have only have very partial and incomplete information.

 From which I conclude that if a CA misbehaved, and you had a high 
powered team of lawyers, and a few billion dollars, you might be able to 
get those logs.





More information about the cryptography mailing list