[cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?

Steven Bellovin smb at cs.columbia.edu
Tue Feb 14 14:09:20 EST 2012


On Feb 14, 2012, at 1:16 23PM, Jon Callas wrote:

> 
> On Feb 14, 2012, at 7:42 AM, ianG wrote:
> 
>> On 14/02/12 21:40 PM, Ralph Holz wrote:
>>> Ian,
>>> 
>>> Actually, we thought about asking Mozilla directly and in public: how
>>> many such CAs are known to them?
>> 
>> It appears their thoughts were "none."
>> 
>> Of course there have been many claims in the past.   But the Mozilla CA desk is frequently surrounded by buzzing small black helicopters so it all becomes noise.
> 
> I've asked about this, too, and the *documented* evidence of this happening is exactly that -- zero.
> 
> I believe it happens. People I trust have told me, whispered in my ear, and assured me that someone they know has told them about it, but there's documented evidence of it zero times.
> 
> I'd accept a screen shot of a cert display or other things as evidence, myself, despite those being quite forgeable, at this point.
> 
> Their thoughts of it being none are reasonably agnostic on it.
> 
> Those who have evidence need to start sharing.
> 

A related question...

Sub-CAs for a single company are obviously not a problem.  Thus, if a major CA were to issue WhizzBangWidgets a CA cert capable of issuing certificates for anything in *.WhizzBangWidgets.com, it would be seen as entirely proper.  The issue is whether or not that sub-CA can issue certificates for, say, google.com.  The restriction is enforced by the Name Constraints field in the CA's cert.  However, this is seldom-enough seen that I have no idea if it's actually usable.  So -- do major cert-accepting programs examine and honor this field, and do it correctly?  I know that OpenSSL has some code to support it; does it work?  What about Firefox's?  The certificate-handling code in various versions of Windows?  Of MacOS?


		--Steve Bellovin, https://www.cs.columbia.edu/~smb








More information about the cryptography mailing list