[cryptography] another cert failure

ianG iang at iang.org
Sat Jan 5 10:14:52 EST 2013


HI all,


On 5/01/13 15:55 PM, Ralph Holz wrote:
> On 01/05/2013 12:29 PM, Ben Laurie wrote:
>> Unless all the people who saw it happened to be running Chrome, then
>> it seems quite likely it was used maliciously, surely?
>
> The problem is that there are many values that both "legitimately" and
> "maliciously" can take. Turktrust's argument seems to be that it was
> "legitimately" used for SSL interception on a firewall/proxy device.

Ah!  The old "legitimate interception" argument :)

> The SANs in the rogue certs that have been published seem to support
> that. Whether SSL interception is good or bad is, unfortunately, open to
> debate.


I thought that debate was closed - if any CA is issuing root certs for 
SSL interception, that CA can expect to be dropped by the vendors.  If 
that is not happening, then the vendors have once again failed their users.

The users' expectation is clear - the product is purposed to stop MITMs. 
  If it does not, then the expectations are destroyed and we don't need 
the product.

Which is it?  (I'm not asking you, being rhetorical here.)

> That said - does Google currently hold more rogue certs than the ones
> published? Chrome has some other sites pinned, too - is there actually a
> list?
>
> Ralph



iang




More information about the cryptography mailing list