My point is this - say you are the CEO of a CA. Do you want to bet your entire company on no one ever detecting nor reporting the MITM sub-CA that you issued? I wouldnt do it. All it takes is one savy or curious guy in a 10,000 person company.
Consequently if there are any other CAs that have done this, they now know mozilla and presumably other browsers are on to them and they need to revoke any mitm sub-CA certs and stop doing it or they risk their CA going bankrupt like with diginotar. Adam On Tue, Feb 14, 2012 at 03:51:16PM +0100, Ralph Holz wrote:
If all users used a tool like Crossbear that does automatic reporting, yes. But tools like that are a recent development (and so is Convergence, even though it was predated by Perspectives). More importantly, however, how capable do you judge users to be? How wide-spread do you expect such tools to become? Most users wouldn't know what to look for in the beginning, and they would much less care. Following your argument, in fact, we should have a large DB with Mitm certs and incidents already. We don't - but not because CAs would not have issued Mitm certs for Sub-CAs, surely? No, CAs would try to hide the fact that they have issued certs that are good for Mitm a corporate network. Some big CAs -- to big too fail even, maybe, and what about them? -- have not yet publicly stated that they have never issued such certs. I think giving them a chance at amnesty is a better strategy. Ralph -- Ralph Holz Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF
_______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography