Steinar, On Sun, Sep 11, 2011 at 8:12 PM, <sthaug@nethelp.no> wrote:
To pop up the stack a bit it's the fact that an organization willing to behave in that fashion was in my list of CA certs in the first place. Yes they're blackballed now, better late than never I suppose. What does that say about the potential for other CAs to behave in such a fashion?
I'd say we have every reason to believe that something similar *will* happen again :-(
Something similar, including use of purchased (not only limited to stolen certs), is ongoing already, all of the time. (I had a fellow IRC-chat-friend report from a certain very western-allied middle eastern country that there's ISP/state-scale SSL-MITM ongoing there, for all https traffic.) The comment on starting out with an empty /etc/ssl is valid. Most of the normally included CA's you almost never run into on the wild web anyway. There were some blog postings about this last time a CA was busted. Shave off 90% of them and you have at least come a bit on the way (goal 100%). The absence of proof is *not* proof of absence, and in this particular case it's pretty safe to assume some abuse is ongoing somewhere, 24/7. Cheers, Martin