[clug] SSL Man-in-the-Middle attack - by "Law Enforcement"? [SEC=PERSONAL]
daniel.subs at internode.on.net
Thu Mar 25 05:51:38 MDT 2010
On Thursday 25 March 2010 16:33:22 Peter Barker wrote:
> One thing would be *very* interesting - what if the identity of the
> "leaked" CA-cert came to light? Would Mozilla turf it from its
altering trust bits - so same effect
> Would Debian?
my guess is yes.
> Would Microsoft?
guess random business decision of the day.
> Would the Australian
> Government mandate the removal of that certificate from government
there would be advisories issued I'm sure - make sure I'm not a sysadmin
anywhere there when it comes out.
> > However I'm not surprised that there are incorrect generalisations about
> > exactly what sort of trust a purchsed certificate means. A CA is a 3rd
> > party in a trust relationship who is mutually trusted because they are
> > external & impartial. As soon as they are "inside" the relationship
> "Someone I don't know (merchant) has given money to someone *else* I don't
> know (CA), who is apparently trusted by *another* set of people I don't
> know (browser developers)... so I can trust them, right?"
its easier if you talk about it in terms of reliance rather than trust. You
rely on the browser people to give you good software and give you only CAs
that they themselves would rely on based on the CA policies and an auditor
statement of reliance covering the policy and operations.
So unless you write/audit your own browser and CAs then I guess it is trust.
Anyone want to help out CAcert?
http://wiki.cacert.org/HelpingCAcert (slightly outdated)
or contact me off list for a more personal service
More information about the linux