[cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?

ianG iang at iang.org
Mon Feb 13 21:31:29 EST 2012


Hi all,

Kathleen at Mozilla has reported that she is having trouble dealing with 
Trustwave question because she doesn't know how many other CAs have 
issued sub-roots that do MITMs.

Zero, one, a few or many?

I've sent a private email out to those who might have had some direct 
exposure.  If there are any others that might have some info, feel free 
to provide evidence to kwilson at mozilla.com or to me if you want it 
suitably anonymised.

If possible, the name of the CA, and the approximate circumstance.  Also 
how convinced you are that it was a cert issued without the knowledge of 
the owner.  Or any information really...

Obviously we all want to know who and how many ... but right now is not 
the time to repeat demands for full disclosure.  Right now, vendors need 
to decide whether they are dropping CAs or not.

iang



More information about the cryptography mailing list