Re: [Full-disclosure] Trustwave and Mozilla (Resolved)


some important points seem missing here. First of all, Mozilla sent a CA
communications that clarifies that issuing MitM certificates is not
acceptable by the policy (in fact, the policy was *not* clear about that
before, this case has never been there). Furthermore, all other CAs (and
according to Trustwave, quite a few CAs consider this "common
practice"), have been given a deadline by which all of these
certificates have to be disclosed (so they can be blocked) and revoked.
Any CA not following this faces removal from NSS, which seems a clear
statement to me.

How is that compatible to "violating the end user"? In fact, revoking
the Trustwave CA wouldn't have helped a lot to protect the end-user. It
wouldn't have been possible to call out to other CAs and get them to
stop their MitM business because every such CA disclosing their MitM
cert policy would have been removed as well (otherwise it would be
unfair, wouldn't it?).

It seems to me that the situation is by far not as easy as some people
try to put it. Oh and by the way: Have you heard of any other browser
vendor taking *any* steps against Trustwave?



On 02/23/2012 01:12 AM, Jeffrey Walton wrote:
It appears to be official.

Trustwave issued MitM certificates, which is deceptive, unethical, and
contrary to its agreement for inclusion.

Mozilla just rewarded their violations of trust by continuing their
inclusion. Apparently, agreements between Mozilla and CAs have no
veracity as both are more than happy to violate the end user.

Original Bug:
NSS and Firefox Update:

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -