On 08/01/2016 23:31, Florian Weimer wrote:
* Jakob Bohm:
Could they, hypothetically, simply claim to use the real certificate on
the connection from their MiTM machines to the real server to do
practical control validation? They would have to claim, also, that
they are holding the private key of the MiTM certificate "in trust" on
behalf of the site owners "on whose behalf" the issued the certifiate?
(Just playing devils advocate).
I think it's similar to what certain CDNs do: They hold the key
material (both long term and session) on behalf of the server
operator. A TLS interception facility holds the session keys on
behalf of the client.
Not quite. CDNs are voluntarily hired by the site owners to
(essentially) provide additional web server computers for the site.
They are (if properly using the site's domain name) not really
different from any other web host.
A Corporate MiTM affecting only itself is not holding anything on
others behalf. It would be morally advisable though for employees
to have a legitimate way to carry out personal communication (such as
arranging doctors appointments) during work breaks or similar. Similar
to a factory (in older times) having a payphone in a hallway.
A nation state MiTM is on the other hand overriding the individual
authority of its citizens and legitimate foreign visitors.
However my (hypothetical) bad argument for a MiTM CA issuing
certificates involve acting on behalf of the (non-consenting) foreign
web site owners to hold private keys that purport to identify the
holder as said foreign site owners (who are in no way subjects of that
state).
Both parties claim to increase Internet security. Both are probably
right in some ways, and wrong in others.
Florian
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
