On 6/12/11 21:52 PM, Florian Weimer wrote:
* Adam Back:

Are there really any CAs which issue sub-CA for "deep packet inspection" aka
doing MitM and issue certs on the fly for everything going through them:
gmail, hotmail, online banking etc.
Such CAs do exist, but to my knowledge, they are enterprise-internal CAs
which are installed on corporate devices, presumably along with other
security software.  Even from a vendor point of view, this additional
installation step is desirable because it fits well with a per-client
licensing scheme, so I'm not sure what the benefit would be to get a
certificate leading to one of the public roots.


The promise of PKI in secure browsing is that it addresses the MITM. That's it, in a nutshell. If that promise is not true, then we might as well use something else.

If the reality is that it simply makes the MITM a sellable feature, that's a breach of the promise. If the situation is "we'll protect you from some MITMs and we'll sell other MITMs over you ..." it's a breach of the original terms that were foisted on browsing in the first place...

Now, this doesn't necessarily mean that some MITMs can't be justified. It's more that the original promise is what the users believe. And exceptions like this aren't really tolerated in the beliefs of users.

So, we need that debate: what's an exception? what's tolerable? what's the point?

We need to see those MITM certs. So we can understand what the nature of the breach is.



iang
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography

Reply via email to