On 2/12/11 23:00 PM, Peter Gutmann wrote:
I guess if you're running into this sort of thing for the first time then
you'd be out for blood, but if you've been aware of this it going on for more
than a decade then it's just business as usual for commercial PKI.  I'm
completely unfazed by it, it's pretty much what you'd expect.

Wifebeating syndrome :) I was aware of the claim of MITMing, but nobody offered proof and it sort of faded away under the cover of NDAs.

The problem here is that it breaks the CA/SSL promise - that there is no MITM. That is the reason for using certificates in the first place, over and above opportunistic encryption. That is the life-blood of SSL v2 - stop the MITM.

If we've decided that the CAs have optioned out the MITM promise on a mass scale, then this breaks the promise. All they've done is sold on the MITMs. So we may as well go back to TOFU.
It breaks a clear expectation of security and privacy the user, even very
sophisitcated user, has about privacy of their communications.
Not on a corporate LAN.  IANAL but AFAIK your employer's allowed to run that
in whatever way they want.

Legally is one plane of dispute: Yes, sure, contractually and under agency theory, the employer is probably within rights. Except, rights can't be contracted away. Data protection commissioners might not agree, as they don't agree that video can be used in offices, only in corridors. And, they don't agree that your radio broadcast information can be recorded by google, in contradiction to international radio convention :) And they can read an MITM promise much like any other user. And legal counsel might be a bit pissed if you get phished and the court case points the finger at the in-house MITM.

The game is not purely logical or contractual or controllable. And reputation adds a joker.


I think employees just need to be aware that a corporate LAN is owned by your
employer, and run for their benefit, not yours.  If you want to do
$non_work_related_whatever, do it from your home system.


I don't think that is a reliable presumption any more. There have been numerous court cases that have trashed the simple "corporate assets" presumption.

iang
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography

Reply via email to