Adam Back <adam@cypherspace.org> writes:
Start of the thread was that Greg and maybe others claim they've seen a cert in the wild doing MitM on domains the definitionally do NOT own.
It's not just a claim, I've seen them too. For example I have a cert issued for google.com from such a MITM proxy. I was asked by the contributor not to reveal any details on it because it contains the name and other info on the intermediate CA that issued it, but it's a cert for google.com used for deep packet inspection on a MITM proxy. I also have a bunch of certs from private- label CAs that chain directly up to big-name public CAs, there's no technical measure I can see in them anywhere that would prevent them from issuing certs under any name. (An unfortunate effect of the private-label CAs is that they contain identifying information on the organisation that uses them, something I hadn't considered in my "post them to the list" request, and publishing them would publicly out your employer or organisation as doing this. So I'll modify my "post to the list" to "email them to me in private" :-).
The real question again is can we catch a boingo or corp lan or government using a MitM sub-CA cert, and then we'll know which CA is complicit in issuing it, and delist them.
Given that some of the biggest CAs around sell private-label CA certs, you'd end up shutting down half the Internet if you did so. Peter. _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE