[Cryptography] Blue Coat has been issued a MITM encryption certificate

Erwann ABALEA erwann at abalea.com
Tue May 31 12:54:37 EDT 2016 

Bonjour,

2016-05-31 16:34 GMT+02:00 Phillip Hallam-Baker <phill at hallambaker.com>:

>
>
> On Sun, May 29, 2016 at 8:55 AM, Stephen Farrell <
> stephen.farrell at cs.tcd.ie> wrote:
>
>>
>>
>> On 29/05/16 02:35, Henry Baker wrote:
>> > FYI --
>> >
>> > http://www.theregister.co.uk/2016/05/27/blue_coat_ca_certs/
>> >
>> > A Controversial Surveillance Firm Was Granted a Powerful Encryption
>> Certificate
>> > Written by Joseph Cox, Contributor
>>
>> Yeah, two things strike me:
>>
>> 1 - yay for certificate transparency - CAs behaving oddly being spotted
>>     and outed is good
>>
>> 2 - what kind of "testing" would require symantec to issue a CA
>>     cert with path-len 0 and for symanetec to hold the private key? I
>>     can't figure anything that makes sense unless symantec were thinking
>>     of actively helping blue coat spoof web sites better, maybe at
>>     run-time, or on a case-by-case basis  - or am I missing something?
>>
>> Cheers,
>> S.
>
>
> For the benefit of us who can't remember, what is the effect of path-len 0?
>

A CA certificate containing a BasicConstraints with pathLenConstraint=0
means that this CA certificate can only be used to verify an end-entity
certificate, or a CA certificate that doesn't issue any certificate, but
not a CA certificate that itself would issue another certificate (either CA
or end-entity).

To simplify:
 CA(BC:pathLenConstraint=0) -> end-entity : OK
 CA(BC:pathLenConstraint=0) -> CA(anything) : OK
 CA(BC:pathLenConstraint=0) -> CA(anything) -> any certificate : NOT OK

As in, what is the effect on systems out there in the wild as opposed to
> what does the spec say. Is there a difference and if so for what systems?
>
> Does 0 = infinity? Probably not in the spec but what about elsewhere?
>

0 is not infinity. Infinity is expressed as the absence of the
pathLenConstraint field.

Some not so old versions of GnuTLS didn't correctly verify the
pathLenConstraint, at least. I think it was corrected in 2014.
OpenSSL, NSS, MSCAPI, and Opera are OK. Don't know about PolarSSL/mbedTLS
or other smaller TLS stacks.

-- 
Erwann.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160531/d6c2d743/attachment.html>

More information about the cryptography mailing list