Julien Pierre wrote: > If it was a rogue CA, there should be a process to remove it. Hopefully > it should lose its certification and simply be removed. If not, it would > be easy to prove by collecting a number of the "proxy" certs under false > identities, and contact the owner in the subject certs to see if they > actually requested the cert and have the private key.
That would depend if they were acting under some sort of mandate or not. In the US, there is now a thing called a "national security letter" that can request cooperation, no judge or warrant needed. If such were presented to a US CA I'd have no doubt that they would comply. (If you want more, check the boards.) Proving that a CA was not acting under such would be very difficult, as they come with gag orders as well. All a CA has to do is say "sorry, can't say. But, you'd better not drop us..." As there is no overseer of the process, there is nothing stopping a completely fraudulent player from claiming it, and you can't prove the non-existence of it. I gather the situation in the UK is similar, more onerous, even. Other countries, I'm not sure of, but the other UKUSA countries (Au,NZ,Can) and the European countries almost certainly have similar provisions. OTOH, the various authorities know that the MITM or a rogue CA-signed cert is a rather brutal and dangerous weapon. If they are caught, it wouldn't be prosecution they'd be worried about, but press and exposure, and this might result in limitations being placed on them. So, I don't think that the CA rogue cert is something to lose much sleep over, but I think we can agree that it's really difficult to protect the user from this! iang _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
