[clug] SSL Man-in-the-Middle attack - by "Law Enforcement"?

Ambrose Andrews ambrose-bulk at vrvl.net
Thu Mar 25 22:14:21 MDT 2010

On 25 March 2010 13:47, Arjen Lentz <arjen at lentz.com.au> wrote:
> Hi Steve
> ----- "steve jenkin" <sjenkin at canb.auug.org.au> wrote:
>> Comments?
>> <http://www.crypto.com/blog/spycerts/>
> Not being naive, we can say "bound to happen", "predictable" - but it's very annoying.
> What SSL cert authorities actually sell is "trust by proxy".
> That is, I purchase an SSL cert from them so that my clients can trust me.
> I'd prefer a system that does not rely on intrinsic trust in anybody - but we don't have that.

In the sense of social adoption and practicality that's true, but
there are incipient systems that facilitate a more fine-grained choice
in what we trust.

That is - not demanding intrinsic trust in any *single* body.


I mentioned earlier that there is an alternate proposal — OpenPGP
Certificates instead of X.509 certificates  — which allows multiple
signatures per certificate. The proposal is designed to be
implementable in parallel with existing X.509 certificates. However,
it is not widely implemented or adopted yet.

Most programs which use TLS do not actually implement their TLS
functionality directly. Instead, they make use of software libraries,
which are collections of code that can be used by many programs.

At least one TLS library exists which can use OpenPGP certificates:
the free GnuTLS library has supported OpenPGP certificates in addition
to X.509 certificates since at least the end of 2003. Tools (like web
browsers) which use the GnuTLS library basically can get this extra
feature without any extra work.

(see also: http://www.ietf.org/rfc/rfc5081.txt)

If this were widely enough adopted to gain some critical mass, it
might be useful in a dynamic way that say CaCert.org wouldn't be.


Ambrose Andrews
LPO box 8274 ANU Acton ACT 0200 Australia
mailto:ambrose at vrvl.net
xmpp:ambrose at jabber.fsfe.org
CE38 8B79 C0A7 DF4A 4F54  E352 2647 19A1 DB3B F823
556A 6D19 0904 827C 9DB8  3697 32D0 1E11 403F 2BE1

More information about the linux mailing list