[cryptography] current limits of proving MITM (Re: Gmail and SSL)
James A. Donald
jamesd at echeque.com
Sun Dec 16 18:05:01 EST 2012
On 2012-12-16 7:48 PM, ianG wrote:
> Just to nitpick on this point, a CA certainly can claim that they or
> an agent did not sign a certificate. And, they can provide the
> evidence, and should have the ability to do this: CAs internally have
> logs as to what they did or did not sign, and this is part of their
> internal process.
Let us compare with the financial crisis. Banks had internal procedures
and paperwork that supposedly showed that their loans were justified.
After 2005 everyone knew the truth, though saying it out loud in plain
words was and is politically incorrect.
Yet despite billion dollar lawsuits to extract that paperwork from the
banks, we have only have very partial and incomplete information.
From which I conclude that if a CA misbehaved, and you had a high
powered team of lawyers, and a few billion dollars, you might be able to
get those logs.
More information about the cryptography