[cryptography] yet another certificate MITM attack

ianG iang at iang.org
Mon Jan 14 09:15:14 EST 2013


On 14/01/13 14:04 PM, Ben Laurie wrote:
> On 14 January 2013 06:11, ianG <iang at iang.org> wrote:

>> More particularly, banks will have a cause of action against their CA, which
>> has not apparently batted an eye about the breach of the security model.
>> Sure, so everyone is doing this.  Sure, so there is a really good
>> optimisation argument.
>
> How is any CA involved in this?

The legal theory would be something like this:

CAs issue root certificates which are put into root lists.  The CA has a 
contract with each vendor that manages and distributes the root list. 
That contract should have appropriate controls in it.

If those controls aren't followed by the vendor, or the controls are 
inadequate, then the CA is negligent.

Beyond that, there are many devils & details.

iang




More information about the cryptography mailing list