[vardump]

> In all likelihood it's to allow Blue Coat to roll out a service that allows it to create certificates for clients of its security services. Any deviation from that CPS would necessitate revoking this intermediate certificate.

So why doesn't Blue Coat establish their own CA for this purpose?

[Buge]

Are you saying they should become a new root CA? That is a huge amount of work, and would require them to convince all browsers and OS's to make them a root CA, which many would be reluctant to do.

[will_hughes]

If you're building an interception service (which this could be) - then yes, you build your own Root CA which you install on devices that you want to intercept.

Legitimate uses of this would be things like government or military departments intercepting traffic from their own network.

As explained elsewhere in this thread, they have a history of working with regimes where they want to intercept the traffic of the general public in countries.

[Kapow]

No, it would require them to add their cert on the intended machines under their control. The only reasons they would need the trust of all browsers and OS's are subterfuge and laziness. They should not be globally trusted to issue certificates.