[cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?

Ralph Holz holz at net.in.tum.de
Tue Feb 14 15:41:54 EST 2012


Hi,

>> Following your argument, in fact, we should have a large DB with Mitm
>> certs and incidents already. We don't - but not because CAs would not
>> have issued Mitm certs for Sub-CAs, surely?
>>
>> No, CAs would try to hide the fact that they have issued certs that are
>> good for Mitm a corporate network. Some big CAs -- to big too fail even,
>> maybe, and what about them? -- have not yet publicly stated that they
>> have never issued such certs. I think giving them a chance at amnesty is
>> a better strategy.
> That penalizes CAs who choose to operate ethically and within the
> bounds of contractual agreements. Just sayin....

Well, it's a point one can make.

The question is whether pulling someone's root would help the ethical
guys so much more, however, or whether having operated un-ethically has
given the others so much of an advantage. On the whole, the net gain in
security seems better with Marsh's proposal.

Ralph

-- 
Ralph Holz
Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/
PGP: A805 D19C E23E 6BBB E0C4  86DC 520E 0C83 69B0 03EF

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20120214/68a9243b/attachment.asc>


More information about the cryptography mailing list