nanog mailing list archives
Re: Russia attempts mandating installation of root CA on clients for TLS MITM
From: Sean Donelan <sean () donelan com>
Date: Thu, 10 Mar 2022 19:35:48 -0500 (EST)
On Thu, 10 Mar 2022, Eric Kuhnke wrote:
I think we'll see a lot more of this from authoritarian regimes in the future. For anyone unfamiliar with their existing distributed DPI architecture, google "Russia SORM".
Many nation's have a government CA.The United States Government has its Federal Public Key Infrastructure, and Federal Bridge CA.
https://playbooks.idmanagement.gov/fpki/ca/If you use DOD CAC ID's or FCEB PIV cards or other federal programs, your computer needs to have the FPKI CA's. You don't need the FPKI CA's for other purposes.
Some countries CA's issue for citizen and business certificates.While X509 allows you to specify different CA's for different purposes, since the days of Netscape, browsers trust hundreds of root or bridged CA in its trust repository for anything.
Neither commercial or government CA's are inherently more (or less) trustworthy. There have been trouble with CA's of all types.
A X509 certificate is a big integer number, in a fancy wrapper. Its not a magical object.
Current thread:
- Russia attempts mandating installation of root CA on clients for TLS MITM Eric Kuhnke (Mar 10)
- Re: Russia attempts mandating installation of root CA on clients for TLS MITM Jay R. Ashworth (Mar 10)
- Re: Russia attempts mandating installation of root CA on clients for TLS MITM William Herrin (Mar 10)
- Re: Russia attempts mandating installation of root CA on clients for TLS MITM Sean Donelan (Mar 10)
- Re: Russia attempts mandating installation of root CA on clients for TLS MITM Dario Ciccarone (dciccaro) via NANOG (Mar 10)
- Re: Russia attempts mandating installation of root CA on clients for TLS MITM Sean Donelan (Mar 12)
- Re: Russia attempts mandating installation of root CA on clients for TLS MITM Carsten Bormann (Mar 13)
- Re: Russia attempts mandating installation of root CA on clients for TLS MITM Sean Donelan (Mar 17)
- Re: Russia attempts mandating installation of root CA on clients for TLS MITM Masataka Ohta (Mar 13)
- Re: Russia attempts mandating installation of root CA on clients for TLS MITM Miles Fidelman (Mar 13)