[cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?

Ralph Holz holz at net.in.tum.de
Tue Feb 14 15:41:54 EST 2012


>> Following your argument, in fact, we should have a large DB with Mitm
>> certs and incidents already. We don't - but not because CAs would not
>> have issued Mitm certs for Sub-CAs, surely?
>> No, CAs would try to hide the fact that they have issued certs that are
>> good for Mitm a corporate network. Some big CAs -- to big too fail even,
>> maybe, and what about them? -- have not yet publicly stated that they
>> have never issued such certs. I think giving them a chance at amnesty is
>> a better strategy.
> That penalizes CAs who choose to operate ethically and within the
> bounds of contractual agreements. Just sayin....

Well, it's a point one can make.

The question is whether pulling someone's root would help the ethical
guys so much more, however, or whether having operated un-ethically has
given the others so much of an advantage. On the whole, the net gain in
security seems better with Marsh's proposal.


Ralph Holz
Network Architectures and Services
Technische Universität München
PGP: A805 D19C E23E 6BBB E0C4  86DC 520E 0C83 69B0 03EF

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20120214/68a9243b/attachment.asc>

More information about the cryptography mailing list