[SSL Observatory] so called "lawful intercept" survey
Jacob Appelbaum
jacob at appelbaum.net
Mon Sep 19 09:23:13 PDT 2011
Hi,
It seems like it is worthwhile to create a survey that covers
certificate authorities and other related bodies about so called "lawful
interception" business practices. I believe that it was Christopher
Soghoian and Sid Stamm[0] that first widely discussed the actuality of
commercial companies selling turnkey solutions for SSL surveillance.
Supposedly, such solutions were, and are likely still, offering CA
signed certificates for use with interception equipment.
It seems that such a survey would need to cover each of the CA roots
that are shipped with popular browsers.
The survey could be as simple as the following question:
"Do you offer any kind of product or services for lawful interception
solutions? If so, what are they and how do they function?"
It seems in the browser vendor's interest to ask a related question:
"Does your business ever issue certificates to any party other than the
valid business associated with said certificates?"
I imagine it might also be worth asking the following as well:
"Does your business ever issue intermediate certificate authorities for
any reason?"
If a CA is willing to sign certificates for use with an interception
device and/or if they offer services for interception purposes, I'd like
to know if they'll be up front about such activities. If they aren't
willing to comment, I think that's a fine thing to share with the world.
The browser vendors at the very least have a reasonable expectation to
know if this is a stated practice - certificates already have uses
associated, code signing, email, etc. It seems totally reasonable that
other uses might be reflected in wider policy discussions, even though
it also seems entirely implausible to really know, it's probably not a
bad idea to ask. I would also argue that the rest of the world has a
reasonable expectation, at least as much as vendors, but they obviously
have considerably less leverage to begin such a dialogue.
Obviously, such a survey is unlikely to be a fountain of truth telling
by vendors or related businesses. A company may have vested interests
that conflict with the interests of a browser or end users. Of course a
key point is merely to gather data and to publish it openly. In time, we
should be able to use that data to better understand the actual
practices of companies.
What other questions are worth asking?
It also seems prudent to ask about internal legal policies regarding
National Security Letters or similar attempts to force signatures. If
the internal policy is to simply hand over the keys or a HSM to law
enforcement, I'd also like to know those related facts. There are lots
of corner cases here and all of them seem interesting points for discussion.
All the best,
Jacob
[0] http://www.crypto.com/blog/spycerts/
More information about the Observatory
mailing list