[cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?

ianG iang at iang.org
Tue Feb 14 10:42:09 EST 2012

On 14/02/12 21:40 PM, Ralph Holz wrote:
> Ian,
> Actually, we thought about asking Mozilla directly and in public: how
> many such CAs are known to them?

It appears their thoughts were "none."

Of course there have been many claims in the past.   But the Mozilla CA 
desk is frequently surrounded by buzzing small black helicopters so it 
all becomes noise.

> I'd have thought that some would have
> disclosed themselves to Mozilla after the communication of the past few
> weeks. Your mail makes it seem as if that was not the case, or not to a
> satisfying degree.

Sigh.  One of the things that went very wrong with Mozilla is that the 
CAs started private non-disclosable discussions.  Of course, this led to 
a lot of manipulation, and basically we have no idea what things have 
happened behind the covers.  It's now the case that the open forum has 
very little influence and CAs in private & confidential conversations 
have most or practically all of the influence.

So even if they have disclosed it in the last few weeks, we are likely 
never to know.  Which means that Mozilla's decision will be announced in 
a vacuum.  Nobody will be happy.

> Which makes me support Marsh Ray's one-strike
> proposal even more strongly: issuing a death sentence to a CA who has
> disclosed is counter-productive. It will drive the others deeper into
> hiding.
> You kno, I can't help but think of the resemblance to the real world
> death penalty for humans - AFAICT it does not seem to deter criminals.

The only real power Mozilla has is to strike them off the root list. 
It's only been done when the decision was easy for other reasons.

I agree that this is the most interesting and challenging thing to hit 
Mozilla in a while.  Coz of the whole trust and reliance thing; users 
put a lot of their trust in Mozilla.


> Ralph
> On 02/14/2012 03:31 AM, ianG wrote:
>> Hi all,
>> Kathleen at Mozilla has reported that she is having trouble dealing with
>> Trustwave question because she doesn't know how many other CAs have
>> issued sub-roots that do MITMs.
>> Zero, one, a few or many?
>> I've sent a private email out to those who might have had some direct
>> exposure.  If there are any others that might have some info, feel free
>> to provide evidence to kwilson at mozilla.com or to me if you want it
>> suitably anonymised.
>> If possible, the name of the CA, and the approximate circumstance.  Also
>> how convinced you are that it was a cert issued without the knowledge of
>> the owner.  Or any information really...
>> Obviously we all want to know who and how many ... but right now is not
>> the time to repeat demands for full disclosure.  Right now, vendors need
>> to decide whether they are dropping CAs or not.
>> iang
>> _______________________________________________
>> cryptography mailing list
>> cryptography at randombit.net
>> http://lists.randombit.net/mailman/listinfo/cryptography
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography

More information about the cryptography mailing list