[cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?

Ralph Holz holz at net.in.tum.de
Tue Feb 14 10:23:30 EST 2012


Hi,

On 02/14/2012 04:20 PM, Adam Back wrote:
> My point is this - say you are the CEO of a CA.  Do you want to bet
> your entire company on no one ever detecting nor reporting the MITM
> sub-CA that you issued?  I wouldnt do it.  All it takes is one savy
> or curious guy in a 10,000 person company.
> 
> Consequently if there are any other CAs that have done this, they now
> know mozilla and presumably other browsers are on to them and they
> need to revoke any mitm sub-CA certs and stop doing it or they risk
> their CA going bankrupt like with diginotar.

Yes, I got that. I just think it's not how a normal CEO would react if
TrustWave had been kicked out *after* confessing what they'd done. If
that confession had been met with punishment, CAs would have had only an
incentive to hide, but not to make further confessions. That's why I
said I like Marsh's proposal: incentives are now to make up for past
mistakes, *and* take precautions they are not repeated. That's a net
gain in security for everyone, and that's why I was against kicking out
TrustWave.

Ralph

-- 
Ralph Holz
Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/
PGP: A805 D19C E23E 6BBB E0C4  86DC 520E 0C83 69B0 03EF

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20120214/b0808237/attachment.asc>


More information about the cryptography mailing list