[Cryptography] Blue Coat has been issued a MITM encryption certificate
Viktor Dukhovni
cryptography at dukhovni.org
Tue May 31 16:38:38 EDT 2016
On Tue, May 31, 2016 at 08:47:11PM +0200, Erwann Abalea wrote:
> Another behavior dictated by the norm is this:
>
> CA(BC:pathLenConstraint=0) -> self-issued CA(anything) -> end-entity : OK
>
> That is, they could issue another CA certificate named the same (C=US,
> O/OU..., CN=Blue Coat Public Services Intermediate CA) for which they have
> the private key, and then issue end-entity certificates. It works because
> the pathLength is decremented for each non self-issued CA certificate. I
> haven't tested implementations on this point.
If BlueCoat had the key for the path-constrained intermediate CA
they could indeed create additional self-issued intermediates.
However, allegedly they don't have the key. So the self-issued
intermediate would have to be issued to BlueCoat by Symantec.
> Browser, maybe none. But some Linux distributions compile and link some
> software with GnuTLS (I've seen some OpenLDAP in Debian/Ubuntu, for
> example). Some cli tools such as curl/wget, or proxies can be compiled with
> GnuTLS.
Many distibutions/builds of the Exim MTA are linked with GnuTLS.
--
Viktor.
More information about the cryptography
mailing list