Again, I'm not a lawyer but if somebody legally purchases a gun from you for a legitimate purpose and then abuse it your are not liable (US context here).
The same way if somebody purchases this cert to monitor their employees for data exfiltration (perfectly good reason, if specified in the privacy policy), thus they are being totally legal. You have no way of knowing if they abuse the certificate to tap their neighbors for example. No on the USC items that were mentioned. They are about "exceeding access", etc. They would not be exceeding access if it is in the privacy policy that they can monitor you for X activity. Best, Krassimir On Sun, Feb 12, 2012 at 3:09 AM, Jeffrey Walton <noloa...@gmail.com> wrote: > On Sun, Feb 12, 2012 at 5:43 AM, Krassimir Tzvetanov > <mailli...@krassi.biz> wrote: >> While I'm not a lawyer and my opinion is in noway authoritive I do not >> believe there is any violation. They ay be an accessory to a potential >> crime but they themselves did not do the tapping. > I think its a bit broader than an accessory since they knoew what the > company wanted to do. Trustwave was onsite and set the system up - > they were clearly a co-conspirator. They even bragged about how > ethical it was because they used an HSM. > > Jeff > >> On Sun, Feb 12, 2012 at 1:27 AM, Jeffrey Walton <noloa...@gmail.com> wrote: >>> On Sun, Feb 12, 2012 at 4:04 AM, Adam Back <a...@cypherspace.org> wrote: >>>> So it happened, per recent discussion on this list, it seems that at least >>>> one CA *has* been issuing sub-CA certs for corporate use in mitm boxes. >>>> >>>> http://www.infoworld.com/d/security/trustwave-admits-issuing-man-in-the-middle-digital-certificate-185972 >>>> >>>> mozilla is threatening to remove the CA from their browser. Trustwave says >>>> they have/will revoke all these sub-CAs and will not issue any more. >>>> >>>> They also claim in their defense that other CAs are doing this. >>> Evading computer security systems and tampering with communications is >>> a violation of federal law in the US. So says the US Attorney General >>> in New Jersey when he charged Wiseguys Tickets with gaming the >>> TicketMaster systems [1,2]. If the Attorney General is to be believed, >>> Trustwave (et al) violated 18 USC 1030 (a) (4) and 1030 (c) (3) (a). >>> >>> Jeff >>> >>> [1] http://www.wired.com/threatlevel/2010/03/wiseguys-indicted/ >>> [2] >>> http://www.wired.com/images_blogs/threatlevel/2010/03/wiseguys-indictment-filed.pdf _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
