[cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?

Adam Back adam at cypherspace.org
Tue Feb 14 10:20:19 EST 2012

My point is this - say you are the CEO of a CA.  Do you want to bet your
entire company on no one ever detecting nor reporting the MITM sub-CA that
you issued?  I wouldnt do it.  All it takes is one savy or curious guy in a
10,000 person company.

Consequently if there are any other CAs that have done this, they now know
mozilla and presumably other browsers are on to them and they need to revoke
any mitm sub-CA certs and stop doing it or they risk their CA going
bankrupt like with diginotar.


On Tue, Feb 14, 2012 at 03:51:16PM +0100, Ralph Holz wrote:
>If all users used a tool like Crossbear that does automatic reporting,
>yes. But tools like that are a recent development (and so is
>Convergence, even though it was predated by Perspectives).
>More importantly, however, how capable do you judge users to be? How
>wide-spread do you expect such tools to become? Most users wouldn't know
>what to look for in the beginning, and they would much less care.
>Following your argument, in fact, we should have a large DB with Mitm
>certs and incidents already. We don't - but not because CAs would not
>have issued Mitm certs for Sub-CAs, surely?
>No, CAs would try to hide the fact that they have issued certs that are
>good for Mitm a corporate network. Some big CAs -- to big too fail even,
>maybe, and what about them? -- have not yet publicly stated that they
>have never issued such certs. I think giving them a chance at amnesty is
>a better strategy.
>Ralph Holz
>Network Architectures and Services
>Technische Universität München
>PGP: A805 D19C E23E 6BBB E0C4  86DC 520E 0C83 69B0 03EF

More information about the cryptography mailing list