On Tue, Feb 14, 2012 at 9:51 AM, Ralph Holz <[email protected]> wrote: > Hi, > >> Well I am not sure how they can hope to go very far underground. Any and >> all users on their internal network could easily detect and anonymously >> report the mitm cert for some public web site with out any significant risk >> of it being tracked back to them. Game over. So removal of one CA from a >> major browser like mozilla would pretty much end this practice if it is >> true >> that any CAs other than trustwave actually did this... > > If all users used a tool like Crossbear that does automatic reporting, > yes. But tools like that are a recent development (and so is > Convergence, even though it was predated by Perspectives). > > More importantly, however, how capable do you judge users to be? How > wide-spread do you expect such tools to become? Most users wouldn't know > what to look for in the beginning, and they would much less care. > > Following your argument, in fact, we should have a large DB with Mitm > certs and incidents already. We don't - but not because CAs would not > have issued Mitm certs for Sub-CAs, surely? > > No, CAs would try to hide the fact that they have issued certs that are > good for Mitm a corporate network. Some big CAs -- to big too fail even, > maybe, and what about them? -- have not yet publicly stated that they > have never issued such certs. I think giving them a chance at amnesty is > a better strategy. That penalizes CAs who choose to operate ethically and within the bounds of contractual agreements. Just sayin....
Jeff _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
