[SSL Observatory] so called "lawful intercept" survey

Gervase Markham gerv at mozilla.org
Thu Sep 22 09:05:48 PDT 2011 

On 19/09/11 17:23, Jacob Appelbaum wrote:
> The survey could be as simple as the following question:
> "Do you offer any kind of product or services for lawful interception
> solutions? If so, what are they and how do they function?"
> 
> It seems in the browser vendor's interest to ask a related question:
> "Does your business ever issue certificates to any party other than the
> valid business associated with said certificates?"

I assume you mean "valid business associated with the domain name in
question"? If so, then my understanding is that Mozilla policy and the
new Baseline Requirements both forbid such a thing - this seems obvious
to me. However, if people think that the documents have a loophole that
CAs are driving through, they should bring it to our attention.

Also, I'd be surprised if CAs would do this, because of the risk of
getting caught. You are basically issuing non-repudiable
digitally-signed certificates of your malfeasance and then giving them
to a customer to 'distribute' in a manner you have no control over!

> I imagine it might also be worth asking the following as well:
> "Does your business ever issue intermediate certificate authorities for
> any reason?"

Now _this_, on the other hand, is AIUI a common business model. Although
again, if there were no contractual controls such that a scenario like
the one above could happen, and it became known, the CA's reputation
would take a significant hit if one of the certs came to light.

On the back of all that, it seems to me that one of the best ways of
keeping CAs honest would be for the various addons etc. floating around
which check certificate correctness were to "phone home" to the addon
author's organization with anything suspicious which was detected. If
they were to do that, even a small takeup of such tools would make
attacks like the Iran attack much easier to spot, much earlier - and
remove any remaining reason for collaborating CAs to think they could
get away with it.

> It also seems prudent to ask about internal legal policies regarding
> National Security Letters or similar attempts to force signatures. If
> the internal policy is to simply hand over the keys or a HSM to law
> enforcement, I'd also like to know those related facts. There are lots
> of corner cases here and all of them seem interesting points for discussion.

Having made the points above, I would say that your idea of a survey of
such practices seems an interesting one. (I can't promise that Mozilla
will do it :-)

Gerv

More information about the Observatory mailing list