Adam Back <[email protected]> writes: >Start of the thread was that Greg and maybe others claim they've seen a cert >in the wild doing MitM on domains the definitionally do NOT own.
It's not just a claim, I've seen them too. For example I have a cert issued for google.com from such a MITM proxy. I was asked by the contributor not to reveal any details on it because it contains the name and other info on the intermediate CA that issued it, but it's a cert for google.com used for deep packet inspection on a MITM proxy. I also have a bunch of certs from private- label CAs that chain directly up to big-name public CAs, there's no technical measure I can see in them anywhere that would prevent them from issuing certs under any name. (An unfortunate effect of the private-label CAs is that they contain identifying information on the organisation that uses them, something I hadn't considered in my "post them to the list" request, and publishing them would publicly out your employer or organisation as doing this. So I'll modify my "post to the list" to "email them to me in private" :-). >The real question again is can we catch a boingo or corp lan or government >using a MitM sub-CA cert, and then we'll know which CA is complicit in issuing >it, and delist them. Given that some of the biggest CAs around sell private-label CA certs, you'd end up shutting down half the Internet if you did so. Peter. _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
