[Cryptography] Blue Coat has been issued a MITM encryption certificate

Erwann ABALEA erwann at abalea.com
Wed Jun 1 04:58:39 EDT 2016

2016-05-31 22:38 GMT+02:00 Viktor Dukhovni <cryptography at dukhovni.org>:

> On Tue, May 31, 2016 at 08:47:11PM +0200, Erwann Abalea wrote:
> > Another behavior dictated by the norm is this:
> >
> >  CA(BC:pathLenConstraint=0) -> self-issued CA(anything) -> end-entity :
> OK
> >
> > That is, they could issue another CA certificate named the same (C=US,
> > O/OU..., CN=Blue Coat Public Services Intermediate CA) for which they
> have
> > the private key, and then issue end-entity certificates. It works because
> > the pathLength is decremented for each non self-issued CA certificate. I
> > haven't tested implementations on this point.
> If BlueCoat had the key for the path-constrained intermediate CA
> they could indeed create additional self-issued intermediates.
> However, allegedly they don't have the key.  So the self-issued
> intermediate would have to be issued to BlueCoat by Symantec.

The private key is hosted by Symantec, but most likely on a shared online
HSM, on their Managed PKI service.
I guess someone from BlueCoat has a clientAuth certificate to approve the
generation of subscriber certificates.
Hopefully, IIRC, Managed PKI doesn't allow the client admin to change
certificate profiles.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160601/618e69bd/attachment.html>

More information about the cryptography mailing list