[cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?

Ralph Holz holz at net.in.tum.de
Tue Feb 14 09:51:16 EST 2012


> Well I am not sure how they can hope to go very far underground.  Any and
> all users on their internal network could easily detect and anonymously
> report the mitm cert for some public web site with out any significant risk
> of it being tracked back to them.  Game over.  So removal of one CA from a
> major browser like mozilla would pretty much end this practice if it is
> true
> that any CAs other than trustwave actually did this...

If all users used a tool like Crossbear that does automatic reporting,
yes. But tools like that are a recent development (and so is
Convergence, even though it was predated by Perspectives).

More importantly, however, how capable do you judge users to be? How
wide-spread do you expect such tools to become? Most users wouldn't know
what to look for in the beginning, and they would much less care.

Following your argument, in fact, we should have a large DB with Mitm
certs and incidents already. We don't - but not because CAs would not
have issued Mitm certs for Sub-CAs, surely?

No, CAs would try to hide the fact that they have issued certs that are
good for Mitm a corporate network. Some big CAs -- to big too fail even,
maybe, and what about them? -- have not yet publicly stated that they
have never issued such certs. I think giving them a chance at amnesty is
a better strategy.


Ralph Holz
Network Architectures and Services
Technische Universität München
PGP: A805 D19C E23E 6BBB E0C4  86DC 520E 0C83 69B0 03EF

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20120214/85623c29/attachment.asc>

More information about the cryptography mailing list