Trustwave admits issuing man-in-the-middle digital certificate (ComputerWorld)

Posted Feb 10, 2012 1:49 UTC (Fri) by martin.langhoff (guest, #61417)
Parent article: Trustwave admits issuing man-in-the-middle digital certificate (ComputerWorld)

I want an SSL stack that fully ignores these subordinate certs, unless I click on the "Allow MITM" checkbox.

Who invited this misfeature to the party?

Trustwave admits issuing man-in-the-middle digital certificate (ComputerWorld)

Posted Feb 12, 2012 14:02 UTC (Sun) by smcv (subscriber, #53363) [Link]

When used correctly, it's a security feature. CAs keep the long-lived key that the browser trusts (root key) offline, and sign certificates with a short-lived intermediate CA signed by the root key. They only need to take the root key out of storage when the intermediate CA is close to expiring.

The difference here is that Trustwave gave an intermediate CA key to another company rather than keeping control of it themselves.