The state-level attack on the SSL CA security model

Crist Clark Crist.Clark at
Tue Mar 29 12:32:56 CDT 2011

>>> On 3/29/2011 at 12:30 AM, Florian Weimer <fweimer at> wrote:
> * Crist Clark:
>> Any large, well funded national-level intelligence agency
>> almost certainly has keys to a valid CA distributed with
>> any browser or SSL package. It would be trivial for the US
>> Gov't (and by extension, the whole AUSCANNZUKUS intelligence
>> community) to simply form a shell company CA that could get
>> a trusted cert in the distros or enlist a "legit" CA to do
>> their patriotic duty (along with some $$$) and give up a key.
> I think this is far too complicated.  You just add your state PKI to
> the browsers, and the CPS does not require any checks on the Common
> Name, to verify it's actually somehow controlled by the certificate
> holder.  Curiously, such CAs can pass Webtrust audits.
> Now I'm a realist and assume that the bureaucrats involved are just
> too incompetent to write a proper CPS (and the auditors to lazy to
> notice).  Authoring policies and paying attention to detail, should be
> second nature to them, but somehow I doubt that the FPKI (say) issues
> certificates for non-federal entities to help with ongoing FBI
> investigations.  (Same for the German government agencies who actually
> managed to get Mozilla approval for their non-CN-checking CAs.)

I would expect intelligence agencies to not use CA certificates
that are publically associated with a gov't owned or operated CA.
It makes it too easy for the target to figure out they are being
spied on and by whom. To a lesser extent, the same goes for law
enforcement. They could not care less about being discovered after
the fact, but may not want the surveillance target to know they are
being watched.

Here's a Wired Threat Level blog entry, from just about
a year ago, about these commercially available tools for
law enforcement,

Crist Clark
Network Security Specialist, Information Systems
408 933 4387

More information about the NANOG mailing list