[SSL Observatory] the CA sub-CA smoking gun
Phillip Hallam-Baker
hallam at gmail.com
Fri Feb 3 14:47:54 PST 2012
Some weeks ago, Google announced a change in their CA root
requirements prohibiting this type of cert.
Clearly the ability to observe defaults and non compliance in the
provision of CA services has great value. The EFF observatory and the
Google CA restriction mechanism have helped identify two cases that
had not previously come to light.
Besides the obvious risks, what on earth possessed people to go and
buy what amounts to a universal lock pick for any financial site on
the net? Didn't they give any thought to the risks they were exposing
their own staff to?
On Fri, Feb 3, 2012 at 9:59 PM, Jacob Appelbaum <jacob at appelbaum.net> wrote:
> Hi,
>
> I noticed this statement today by Trustwave on their website:
>
> 1/26/2012 - Trustwave CA Policy Update
>
> It has been common practice for Trusted CAs to issue subordinate roots
> for enterprises for the purpose of transparently managing encrypted
> traffic. In the past, Trustwave, like many of our peers in the industry,
> has enabled organizations to perform this activity. Due to events of the
> past year, Trustwave has decided to revoke all subordinate roots issued
> for this purpose.
>
> XRamp Security Services, Inc. (successor to SecureTrust Corporation),
> has been acquired by and is a wholly-owned subsidiary of Trustwave
> Holdings, Inc. ("Trustwave")
>
> It's posted here:
> https://ssl.trustwave.com/CA/
>
> I wonder who their peers are in the industry? Will they come out and
> tell us as well?
>
> Their website says they'd love to hear from anyone with questions:
> "Please do not hesitate to call Trustwave 1-866-775-2378 with any
> questions."
>
> If anyone calls and asks, please do let the list know what Trustwave has
> to say on the issue...
>
> All the best,
> Jake
--
Website: http://hallambaker.com/
More information about the Observatory
mailing list