Some random chiming in... On 2011 Dec 2, at 5:00 , Adam Back wrote:
> On Sat, Dec 03, 2011 at 01:00:14AM +1300, Peter Gutmann wrote: >> I was asked not to reveal details and I won't, > > Of course, I would do the same if so asked. But there are lots of people on > the list who have not obtained information indirectly, with confidentiality > assurances offered, and for them remailers exist. > >> but in any case I don't know whether it would achieve much. For the case >> of a public CA doing it, you'd see that CA X is involved, ... > > personally I'd like to know who is doing this and at what scale. As Peter said, this has been happening for some years. The reason I mentioned CDG airport is because it's the only such incident where I remembered exactly where I was (Sheraton hotel, never staying there again... not that this is the reason why). To me it was just the usual speed bump to be worked around. > >> I guess if you're running into this sort of thing for the first time then >> you'd be out for blood, but if you've been aware of this it going on for more >> than a decade then it's just business as usual for commercial PKI. I'm >> completely unfazed by it, it's pretty much what you'd expect. > > I do not think its what you'd expect. A CA should issue certificates only > to the holders of certificates. It should NOT issue sub-CA certifactes to > third parties who will then issue certs to domains they dont own. Not even > on the fly inside a "packet inspection" box. For how many years have Thawte and Verisign and others been prepared to issue certificates based only on the fact that the cheque cleared? > > If someone wants to inspect packets on a corporate lan they can issue their > own self-signed cert, and install that in their users browsers in their OS > install image. > > Then if I go on their LAN with my own equipment, I'll get a warning. > > I think its unacceptable to have CAs issuing such certs. I agree. But like a lot of unacceptable things, it happens because it makes money for someone. > >>> It breaks a clear expectation of security and privacy the user, even very >>> sophisitcated user, has about privacy of their communications. >> >> Not on a corporate LAN. IANAL but AFAIK your employer's allowed to run that >> in whatever way they want. > > No. Also IANAL but there were several cases where employees did have an > expectation of privacy upheld even in the US. Certainly you cant do that in > the EU legally either. So now the company uses a login banner that says "You have no expectation of privacy when using this system." And of course the employee has no choice but to click through. [rest snipped.] Greg. _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
