On 08/01/2016 03:19, Peter Bowen wrote:
...
[1] I can imagine exactly one way they could claim to simultaneously
meet the BRs and issue MITM certificates: claim they are using a
practical control method and show that from their vantage point they
have practical control of the Internet. They could even modify HTTP
responses to inject validation tokens and/or modify DNS responses to
do the same. Obviously this is not the intent of practical control
validation but would be an interesting tactic.
Could they, hypothetically, simply claim to use the real certificate on
the connection from their MiTM machines to the real server to do
practical control validation? They would have to claim, also, that
they are holding the private key of the MiTM certificate "in trust" on
behalf of the site owners "on whose behalf" the issued the certifiate?
(Just playing devils advocate).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
