[Cryptography] Blue Coat has been issued a MITM encryption certificate

Viktor Dukhovni cryptography at dukhovni.org
Tue May 31 16:38:38 EDT 2016


On Tue, May 31, 2016 at 08:47:11PM +0200, Erwann Abalea wrote:

> Another behavior dictated by the norm is this:
>
>  CA(BC:pathLenConstraint=0) -> self-issued CA(anything) -> end-entity : OK
>
> That is, they could issue another CA certificate named the same (C=US,
> O/OU..., CN=Blue Coat Public Services Intermediate CA) for which they have
> the private key, and then issue end-entity certificates. It works because
> the pathLength is decremented for each non self-issued CA certificate. I
> haven't tested implementations on this point.

If BlueCoat had the key for the path-constrained intermediate CA
they could indeed create additional self-issued intermediates.
However, allegedly they don't have the key.  So the self-issued
intermediate would have to be issued to BlueCoat by Symantec.

> Browser, maybe none. But some Linux distributions compile and link some
> software with GnuTLS (I've seen some OpenLDAP in Debian/Ubuntu, for
> example). Some cli tools such as curl/wget, or proxies can be compiled with
> GnuTLS.

Many distibutions/builds of the Exim MTA are linked with GnuTLS.

-- 
	Viktor.


More information about the cryptography mailing list