[SSL Observatory] so called "lawful intercept" survey

Sun Sep 25 19:40:27 PDT 2011

This is why I see transparency as an essential control here.

A judge is not going to order a CA to do something if the CA can point out
that the breach of faith will become visible and result in the exposure of
the government scheme.

On Sun, Sep 25, 2011 at 9:30 PM, Tom Ritter <tom at ritter.vg> wrote:

> > Threat of imprisonment by the government is not one that I think we can
> > realistically expect people to resist.
>
> I agree.
>
> PHB:
> > What is (I think) at issue here is the question of whether a CA would be
> > legally coerced to issue false credentials in order to enable a lawful
> > intercept. That is not something that has ever occurred as far as I am
> > aware.
>
> Gerv:
> > I assume you mean "valid business associated with the domain name in
> > question"? If so, then my understanding is that Mozilla policy and the
> > new Baseline Requirements both forbid such a thing - this seems obvious
> > to me. However, if people think that the documents have a loophole that
> > CAs are driving through, they should bring it to our attention.
>
> I raised this concern a bit ago[1], but didn't really publicize it,
> because, as Phillip said, I don't think it's realistic to expect a
> corporation to resist a command by a suitably intimidating force in
> their country.  Judge in some, men-with-guns in others.
>
> I wrote:
>
> Now, for the paranoid crowd: what about collusion between a CA and the
> government? If it was proven that a CA had issued a cert for government
> interception, that CA would pretty quickly be untrusted by users, and
> probably browsers as well. It's incentive for a CA not to do so, since
> such an action puts its business at risk. But let's check the relevant
> sections of the doc:
>
>    8.1 Compliance
>
>    The CA MUST at all times: Comply with all law applicable to its
> business and the Certificates it issues in each jurisdiction where it
> operates
>
> Could a judge order a CA to do the government's bidding and sign a CSR
> for law enforcement? Well, practically speaking I'm not qualified to
> answer this. There's not a lot of people who are. I credit Dino Dai Zovi
> when I say: "The people who are qualified to speak about the topic won't
> and can't, so by definition the only people speaking are people
> unqualified." I'll just note that by stretching parts of the
> Requirements (stretching "right to use, or had control of, the Domain
> Name and IP address") and emphasizing compliance with applicable law -
> they'd have somewhat of a defense from an industry sanction. Not from
> the people on the internet of course.
>
> ----
>
> I wouldn't say it's a loophole CA's _are_ driving through, but I'd say
> it's the defense they'd use when they were caught.
>
> Another topic I raised on this list a while ago was if the government (I
> was insinuating at CBP at the time) ever forced a revocation[2].
>
> -tom
>
> [1] http://ritter.vg/blog-cab_forum_draft.html
> [2] https://mail1.eff.org/pipermail/observatory/2011-April/000203.html
>

-- 
Website: http://hallambaker.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/observatory/attachments/20110925/e3777e07/attachment.html>