[cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?
holz at net.in.tum.de
Tue Feb 14 10:23:30 EST 2012
On 02/14/2012 04:20 PM, Adam Back wrote:
> My point is this - say you are the CEO of a CA. Do you want to bet
> your entire company on no one ever detecting nor reporting the MITM
> sub-CA that you issued? I wouldnt do it. All it takes is one savy
> or curious guy in a 10,000 person company.
> Consequently if there are any other CAs that have done this, they now
> know mozilla and presumably other browsers are on to them and they
> need to revoke any mitm sub-CA certs and stop doing it or they risk
> their CA going bankrupt like with diginotar.
Yes, I got that. I just think it's not how a normal CEO would react if
TrustWave had been kicked out *after* confessing what they'd done. If
that confession had been met with punishment, CAs would have had only an
incentive to hide, but not to make further confessions. That's why I
said I like Marsh's proposal: incentives are now to make up for past
mistakes, *and* take precautions they are not repeated. That's a net
gain in security for everyone, and that's why I was against kicking out
Network Architectures and Services
Technische Universität München
PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 490 bytes
Desc: OpenPGP digital signature
More information about the cryptography