[SSL Observatory] so called "lawful intercept" survey

Tom Ritter tom at ritter.vg
Sun Sep 25 18:30:13 PDT 2011 

> Threat of imprisonment by the government is not one that I think we can
> realistically expect people to resist. 

I agree.

PHB:
> What is (I think) at issue here is the question of whether a CA would be
> legally coerced to issue false credentials in order to enable a lawful
> intercept. That is not something that has ever occurred as far as I am
> aware. 

Gerv:
> I assume you mean "valid business associated with the domain name in
> question"? If so, then my understanding is that Mozilla policy and the
> new Baseline Requirements both forbid such a thing - this seems obvious
> to me. However, if people think that the documents have a loophole that
> CAs are driving through, they should bring it to our attention.

I raised this concern a bit ago[1], but didn't really publicize it,
because, as Phillip said, I don't think it's realistic to expect a
corporation to resist a command by a suitably intimidating force in
their country.  Judge in some, men-with-guns in others.

I wrote:

Now, for the paranoid crowd: what about collusion between a CA and the
government? If it was proven that a CA had issued a cert for government
interception, that CA would pretty quickly be untrusted by users, and
probably browsers as well. It's incentive for a CA not to do so, since
such an action puts its business at risk. But let's check the relevant
sections of the doc:

    8.1 Compliance

    The CA MUST at all times: Comply with all law applicable to its
business and the Certificates it issues in each jurisdiction where it
operates

Could a judge order a CA to do the government's bidding and sign a CSR
for law enforcement? Well, practically speaking I'm not qualified to
answer this. There's not a lot of people who are. I credit Dino Dai Zovi
when I say: "The people who are qualified to speak about the topic won't
and can't, so by definition the only people speaking are people
unqualified." I'll just note that by stretching parts of the
Requirements (stretching "right to use, or had control of, the Domain
Name and IP address") and emphasizing compliance with applicable law -
they'd have somewhat of a defense from an industry sanction. Not from
the people on the internet of course.

----

I wouldn't say it's a loophole CA's _are_ driving through, but I'd say
it's the defense they'd use when they were caught.

Another topic I raised on this list a while ago was if the government (I
was insinuating at CBP at the time) ever forced a revocation[2].

-tom

[1] http://ritter.vg/blog-cab_forum_draft.html
[2] https://mail1.eff.org/pipermail/observatory/2011-April/000203.html

More information about the Observatory mailing list