[Aoreias]

This isn't necessarily as nefarious as it seems - Blue Coat is going to have to comply with Symantec's Certification Practice Statement(CPS) which prohibits the issuance of MitM certificates. In all likelihood it's to allow Blue Coat to roll out a service that allows it to create certificates for clients of its security services. Any deviation from that CPS would necessitate revoking this intermediate certificate.

That said, I'm quite curious though if Google is going to require that Blue Coat submit all issued certificates to be submitted to Certificate Transparency logs like the rest of Symantec's certificates[0].

[0] https://security.googleblog.com/2015/10/sustaining-digital-c...

[lallysingh]

I'm hesitant to relax here. Blue Coat's got a nasty history of making money off of the regimes that'd do this without hesitation:

https://www.newsrecord.co/us-based-internet-surveillance-tec...

[Aoreias]

Sure, but if they started issuing MitM certs ANYWHERE then Symantec would have no choice but to revoke the CA's certificate. It doesn't matter if the CA was functioning for a corrupt regime or a well-intentioned business legitimately MitM'ing employees traffic.

If Symantec didn't revoke the certificate then it would almost certainly lead to their root certificate being untrusted by major browsers and destroy their entire certificate business.

[lallysingh]

Between the time of issue and renovation, a lot of people can get arrested, monitored, or blackmailed.

[glasz]

that's how the beautiful rule of law works. damage done, people killed, complaint rejected, "overruled".

[api]

This is a baby step in the direction of legitimate MITMing of SSL, which is something many of Blue Coat's customers would love. SSL's entire security profile is built around trust in a huge number of CAs, and if Blue Coat and other can persuade one to allow this in any form then SSL is fundamentally and permanently broken (without pinning or out of band checks) for pretty much all users except highly technical ones.

[vardump]

> In all likelihood it's to allow Blue Coat to roll out a service that allows it to create certificates for clients of its security services. Any deviation from that CPS would necessitate revoking this intermediate certificate.

So why doesn't Blue Coat establish their own CA for this purpose?

[Buge]

Are you saying they should become a new root CA? That is a huge amount of work, and would require them to convince all browsers and OS's to make them a root CA, which many would be reluctant to do.

[will_hughes]

If you're building an interception service (which this could be) - then yes, you build your own Root CA which you install on devices that you want to intercept.

Legitimate uses of this would be things like government or military departments intercepting traffic from their own network.

As explained elsewhere in this thread, they have a history of working with regimes where they want to intercept the traffic of the general public in countries.

[Kapow]

No, it would require them to add their cert on the intended machines under their control. The only reasons they would need the trust of all browsers and OS's are subterfuge and laziness. They should not be globally trusted to issue certificates.

[kerkeslager]

"This isn't necessarily as nefarious as it seems" is nowhere near an acceptable level of trust for a certificate authority.

[devishard]

You're making a lot of assumptions about the terms under which this certificate was issued, which you don't know. Without seeing the contract between Symantec and Blue Coat you can't claim that they're bound by Symantec's CPS.

And even if they are bound by Symantec's CPS, they can do a lot of damage before the CPS can be enforced.

[facetube]

The certificate has this in it, which would seem to confirm what you're saying: "Explicit Text: In the event that the BlueCoat CPS and Symantec CPS conflict, the Symantec CPS governs."