Filippo Valsorda

To be clear: BlueCoat, the company making TLS MitM equipment allegedly used by govs to violate human rights, now has a REAL UNRESTRICTED CA.

@FiloSottile That "maintained full control of the private key" part makes absolutely no sense. That's how Verisign attempts to regain trust?

@alcyonsecurity it’s not undoubtedly true, but it does make sense. CAs do mint intermediates for corps and then manage them all the time.

@FiloSottile How? Unless they set CA path length=1 they have no control at all

@alcyonsecurity Symantec keeps the private key and only exposes a restricted API to the customer. Like Digicert and Plex.

@FiloSottile that part I understand, but that still does not technically restrict the depth of the CA hierarchy

@FiloSottile Simple fix: submit patches to Mozilla, Chromium, etc. to remove Symantec root.

@RichFelker As simple as just switching libc! ;)

@FiloSottile I know it's not simple and very controversial, which is kind of the point of submitting such a patch.

@FiloSottile A bugreport & proposed patch force them to try to justify keeping a rogue root CA, subjects them to public scrutiny.

@RichFelker to be fair, it's not rogue. It's just a shady *organizations*. But there's no proof of bad faith for that cert.

@FiloSottile @RichFelker there are reporting requirements, right? afair symantec has to inform mozilla if they issue new subCAs. did they?

@hanno @RichFelker yep.

@Scott_Helme Well, it can't make sub-CAs. Awesome, right? Sigh.

@FiloSottile @Scott_Helme I don't see the pathlen enforcement extension?

@riking27 @Scott_Helme in BasicConstraints