[cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?

Ralph Holz holz at net.in.tum.de
Tue Feb 14 05:40:06 EST 2012


Actually, we thought about asking Mozilla directly and in public: how
many such CAs are known to them? I'd have thought that some would have
disclosed themselves to Mozilla after the communication of the past few
weeks. Your mail makes it seem as if that was not the case, or not to a
satisfying degree. Which makes me support Marsh Ray's one-strike
proposal even more strongly: issuing a death sentence to a CA who has
disclosed is counter-productive. It will drive the others deeper into

You kno, I can't help but think of the resemblance to the real world
death penalty for humans - AFAICT it does not seem to deter criminals.


On 02/14/2012 03:31 AM, ianG wrote:
> Hi all,
> Kathleen at Mozilla has reported that she is having trouble dealing with
> Trustwave question because she doesn't know how many other CAs have
> issued sub-roots that do MITMs.
> Zero, one, a few or many?
> I've sent a private email out to those who might have had some direct
> exposure.  If there are any others that might have some info, feel free
> to provide evidence to kwilson at mozilla.com or to me if you want it
> suitably anonymised.
> If possible, the name of the CA, and the approximate circumstance.  Also
> how convinced you are that it was a cert issued without the knowledge of
> the owner.  Or any information really...
> Obviously we all want to know who and how many ... but right now is not
> the time to repeat demands for full disclosure.  Right now, vendors need
> to decide whether they are dropping CAs or not.
> iang
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography

Ralph Holz
Network Architectures and Services
Technische Universität München
PGP: A805 D19C E23E 6BBB E0C4  86DC 520E 0C83 69B0 03EF

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20120214/57b0fd57/attachment.asc>

More information about the cryptography mailing list