[cryptography] trustwave admits issuing corporate mitm certs

Krassimir Tzvetanov maillists at krassi.biz
Sun Feb 12 05:43:11 EST 2012


While I'm not a lawyer and my opinion is in noway authoritive I do not
believe there is any violation. They ay be an accessory to a potential
crime but they themselves did not do the tapping.

Now on the other hand those companies that did the tapping should be
OK for as long as they are clear with the employees that they cannot
expect privacy, which usually is the case. Usually this is in the
paperwork you sing when you start working there in the section privacy
policy.

KTT

On Sun, Feb 12, 2012 at 1:27 AM, Jeffrey Walton <noloader at gmail.com> wrote:
> On Sun, Feb 12, 2012 at 4:04 AM, Adam Back <adam at cypherspace.org> wrote:
>> So it happened, per recent discussion on this list, it seems that at least
>> one CA *has* been issuing sub-CA certs for corporate use in mitm boxes.
>>
>> http://www.infoworld.com/d/security/trustwave-admits-issuing-man-in-the-middle-digital-certificate-185972
>>
>> mozilla is threatening to remove the CA from their browser.  Trustwave says
>> they have/will revoke all these sub-CAs and will not issue any more.
>>
>> They also claim in their defense that other CAs are doing this.
> Evading computer security systems and tampering with communications is
> a violation of federal law in the US. So says the US Attorney General
> in New Jersey when he charged Wiseguys Tickets with gaming the
> TicketMaster systems [1,2]. If the Attorney General is to be believed,
> Trustwave (et al) violated 18 USC 1030 (a) (4) and 1030 (c) (3) (a).
>
> Jeff
>
> [1] http://www.wired.com/threatlevel/2010/03/wiseguys-indicted/
> [2] http://www.wired.com/images_blogs/threatlevel/2010/03/wiseguys-indictment-filed.pdf
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography



More information about the cryptography mailing list