[cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?

Jeffrey Walton noloader at gmail.com
Tue Feb 14 15:31:00 EST 2012

On Tue, Feb 14, 2012 at 9:51 AM, Ralph Holz <holz at net.in.tum.de> wrote:
> Hi,
>> Well I am not sure how they can hope to go very far underground.  Any and
>> all users on their internal network could easily detect and anonymously
>> report the mitm cert for some public web site with out any significant risk
>> of it being tracked back to them.  Game over.  So removal of one CA from a
>> major browser like mozilla would pretty much end this practice if it is
>> true
>> that any CAs other than trustwave actually did this...
> If all users used a tool like Crossbear that does automatic reporting,
> yes. But tools like that are a recent development (and so is
> Convergence, even though it was predated by Perspectives).
> More importantly, however, how capable do you judge users to be? How
> wide-spread do you expect such tools to become? Most users wouldn't know
> what to look for in the beginning, and they would much less care.
> Following your argument, in fact, we should have a large DB with Mitm
> certs and incidents already. We don't - but not because CAs would not
> have issued Mitm certs for Sub-CAs, surely?
> No, CAs would try to hide the fact that they have issued certs that are
> good for Mitm a corporate network. Some big CAs -- to big too fail even,
> maybe, and what about them? -- have not yet publicly stated that they
> have never issued such certs. I think giving them a chance at amnesty is
> a better strategy.
That penalizes CAs who choose to operate ethically and within the
bounds of contractual agreements. Just sayin....


More information about the cryptography mailing list