On Fri, Dec 2, 2011 at 10:02 AM, Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote: > Adam Back <a...@cypherspace.org> writes: > >>Start of the thread was that Greg and maybe others claim they've seen a cert >>in the wild doing MitM on domains the definitionally do NOT own. > > It's not just a claim, I've seen them too. For example I have a cert issued > for google.com from such a MITM proxy. I was asked by the contributor not to > reveal any details on it because it contains the name and other info on the > intermediate CA that issued it, but it's a cert for google.com used for deep > packet inspection on a MITM proxy. I also have a bunch of certs from private- > label CAs that chain directly up to big-name public CAs, there's no technical > measure I can see in them anywhere that would prevent them from issuing certs > under any name. > > (An unfortunate effect of the private-label CAs is that they contain > identifying information on the organisation that uses them, something I hadn't > considered in my "post them to the list" request, and publishing them would > publicly out your employer or organisation as doing this. So I'll modify my > "post to the list" to "email them to me in private" :-).
To what end? And, BTW, I'd like to see them too :-) >>The real question again is can we catch a boingo or corp lan or government >>using a MitM sub-CA cert, and then we'll know which CA is complicit in issuing >>it, and delist them. > > Given that some of the biggest CAs around sell private-label CA certs, you'd > end up shutting down half the Internet if you did so. > > Peter. _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography