[cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?

Adam Back adam at cypherspace.org
Tue Feb 14 09:40:15 EST 2012

Well I am not sure how they can hope to go very far underground.  Any and
all users on their internal network could easily detect and anonymously
report the mitm cert for some public web site with out any significant risk
of it being tracked back to them.  Game over.  So removal of one CA from a
major browser like mozilla would pretty much end this practice if it is true
that any CAs other than trustwave actually did this...


On Tue, Feb 14, 2012 at 11:40:06AM +0100, Ralph Holz wrote:
>Actually, we thought about asking Mozilla directly and in public: how
>many such CAs are known to them? I'd have thought that some would have
>disclosed themselves to Mozilla after the communication of the past few
>weeks. Your mail makes it seem as if that was not the case, or not to a
>satisfying degree. Which makes me support Marsh Ray's one-strike
>proposal even more strongly: issuing a death sentence to a CA who has
>disclosed is counter-productive. It will drive the others deeper into
>You kno, I can't help but think of the resemblance to the real world
>death penalty for humans - AFAICT it does not seem to deter criminals.
>On 02/14/2012 03:31 AM, ianG wrote:
>> Hi all,
>> Kathleen at Mozilla has reported that she is having trouble dealing with
>> Trustwave question because she doesn't know how many other CAs have
>> issued sub-roots that do MITMs.
>> Zero, one, a few or many?
>> I've sent a private email out to those who might have had some direct
>> exposure.  If there are any others that might have some info, feel free
>> to provide evidence to kwilson at mozilla.com or to me if you want it
>> suitably anonymised.
>> If possible, the name of the CA, and the approximate circumstance.  Also
>> how convinced you are that it was a cert issued without the knowledge of
>> the owner.  Or any information really...
>> Obviously we all want to know who and how many ... but right now is not
>> the time to repeat demands for full disclosure.  Right now, vendors need
>> to decide whether they are dropping CAs or not.
>> iang
>> _______________________________________________
>> cryptography mailing list
>> cryptography at randombit.net
>> http://lists.randombit.net/mailman/listinfo/cryptography
>Ralph Holz
>Network Architectures and Services
>Technische Universität München
>PGP: A805 D19C E23E 6BBB E0C4  86DC 520E 0C83 69B0 03EF

>cryptography mailing list
>cryptography at randombit.net

More information about the cryptography mailing list