[Cryptography] Blue Coat has been issued a MITM encryption certificate

Peter Bowen pzbowen at gmail.com
Tue May 31 12:44:37 EDT 2016 

On Tue, May 31, 2016 at 7:34 AM, Phillip Hallam-Baker
<phill at hallambaker.com> wrote:
> On Sun, May 29, 2016 at 8:55 AM, Stephen Farrell <stephen.farrell at cs.tcd.ie> wrote:
>> On 29/05/16 02:35, Henry Baker wrote:
>> > http://www.theregister.co.uk/2016/05/27/blue_coat_ca_certs/
>> >
>> > A Controversial Surveillance Firm Was Granted a Powerful Encryption
>> > Certificate
>> > Written by Joseph Cox, Contributor
>>
>> Yeah, two things strike me:
>>
>> 1 - yay for certificate transparency - CAs behaving oddly being spotted
>>     and outed is good
>>
>> 2 - what kind of "testing" would require symantec to issue a CA
>>     cert with path-len 0 and for symanetec to hold the private key? I
>>     can't figure anything that makes sense unless symantec were thinking
>>     of actively helping blue coat spoof web sites better, maybe at
>>     run-time, or on a case-by-case basis  - or am I missing something?
>
> For the benefit of us who can't remember, what is the effect of path-len 0?
>
> As in, what is the effect on systems out there in the wild as opposed to
> what does the spec say. Is there a difference and if so for what systems?
>
> Does 0 = infinity? Probably not in the spec but what about elsewhere?

Pathlen = 0 means the CA can only issue end-entity certificates and
cannot be used to sign further CA certificates.  Path length of zero
is a good thing and is correctly interpreted by every certificate
validation library I know about.

It is fairly common practice for a CA operator to create issuing CAs
(e.g. pathlen=0) for customers for branding purposes or to enable
authorization via issuer.  In these cases the issuing CA is the same
as every other CA operated by the same company (e.g. Symantec or
Comodo), but the issuer name is the customer name.

Mozilla is working on getting all CAs to add info on their issuing CAs
to their database; you can see the current status at
https://mozillacaprogram.secure.force.com/CA/PublicAllIntermediateCerts.
If there are checkboxes under both "CP/CPS Same As Parent" and "Audit
Same As Parent", then it is safe to assume that the issuing CA is just
a branded CA operated by the parent.

Thanks,
Peter

More information about the cryptography mailing list