[cryptography] trustwave admits issuing corporate mitm certs

Jeffrey Walton noloader at gmail.com
Sun Feb 12 04:27:42 EST 2012


On Sun, Feb 12, 2012 at 4:04 AM, Adam Back <adam at cypherspace.org> wrote:
> So it happened, per recent discussion on this list, it seems that at least
> one CA *has* been issuing sub-CA certs for corporate use in mitm boxes.
>
> http://www.infoworld.com/d/security/trustwave-admits-issuing-man-in-the-middle-digital-certificate-185972
>
> mozilla is threatening to remove the CA from their browser.  Trustwave says
> they have/will revoke all these sub-CAs and will not issue any more.
>
> They also claim in their defense that other CAs are doing this.
Evading computer security systems and tampering with communications is
a violation of federal law in the US. So says the US Attorney General
in New Jersey when he charged Wiseguys Tickets with gaming the
TicketMaster systems [1,2]. If the Attorney General is to be believed,
Trustwave (et al) violated 18 USC 1030 (a) (4) and 1030 (c) (3) (a).

Jeff

[1] http://www.wired.com/threatlevel/2010/03/wiseguys-indicted/
[2] http://www.wired.com/images_blogs/threatlevel/2010/03/wiseguys-indictment-filed.pdf



More information about the cryptography mailing list