[cryptography] current limits of proving MITM (Re: Gmail and SSL)

Jeffrey Walton noloader at gmail.com
Sun Dec 16 18:15:28 EST 2012


On Sun, Dec 16, 2012 at 6:05 PM, James A. Donald <jamesd at echeque.com> wrote:
> On 2012-12-16 7:48 PM, ianG wrote:
>>
>> Just to nitpick on this point, a CA certainly can claim that they or an
>> agent did not sign a certificate.  And, they can provide the evidence, and
>> should have the ability to do this:  CAs internally have logs as to what
>> they did or did not sign, and this is part of their internal process.
>
>
> Let us compare with the financial crisis.  Banks had internal procedures and
> paperwork that supposedly showed that their loans were justified.  After
> 2005 everyone knew the truth, though saying it out loud in plain words was
> and is politically incorrect.
I did not want to draw the metaphor :)

> Yet despite billion dollar lawsuits to extract that paperwork from the
> banks, we have only have very partial and incomplete information.
The rating firms were making money from the transactions.  The
auditors were making money from the transactions.  The lawyers were
making money from the transactions. The groups were part of the safety
net. The safety net was dismantled with money.

> From which I conclude that if a CA misbehaved, and you had a high powered
> team of lawyers, and a few billion dollars, you might be able to get those
> logs.
Yep, its the game in "catch me if you can" corporate america. As I
said, the stick is mandatory. The carrot is optional.

Its really a shame we have to deal with political issues in a
technology field. When I took System Analysis and Design years ago, I
thought the instructor was exaggerating things like political and
religious feasibility on technical systems. I was clearly wrong.

Jeff



More information about the cryptography mailing list