* Jakob Bohm: > Could they, hypothetically, simply claim to use the real certificate on > the connection from their MiTM machines to the real server to do > practical control validation? They would have to claim, also, that > they are holding the private key of the MiTM certificate "in trust" on > behalf of the site owners "on whose behalf" the issued the certifiate? > (Just playing devils advocate).
I think it's similar to what certain CDNs do: They hold the key material (both long term and session) on behalf of the server operator. A TLS interception facility holds the session keys on behalf of the client. Both parties claim to increase Internet security. Both are probably right in some ways, and wrong in others. Florian _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy