https - hopefully not too stupid a question

k.brown at k.brown at
Sun Jun 17 13:30:34 BST 2012

On 17 June 2012 11:29, Chris Edwards <chris-ukcrypto at> wrote:

> Outwith the enterprise environment, however, things are a little
> different.  A govt would need to persuade a certificate authority (CA)
> to supply the intermediate signing cert.  This goes against all the rules,
> and in theory should not be allowed.

Maybe they don't need to "persuade". It is at least possible to
imagine that a UK (or allied) government security organisation was in
on the ground floor of one of the CAs and either effectively owns it
or has installed some of its friends and managers and in technical
jobs. It wouldn't be the first time that government security had used
front companies.
In that case they might well have the real root certs anyway and not
need to fiddle with anything at short notice in order to keep the key
chains looking plausible. Or even quite genuine of either party to an
encrypted communication was a customer of the pet CA.

I'm not saying this is the case -  but the possibility that it might
be means the very cautious user of encryption (which of course most of
us aren't) would want to check certs in more than one way and possibly
not rely on any single issuer.

Ken Brown

More information about the ukcrypto mailing list