[CentOS] Can we trust RedHAt encryption tools?

Fri Jan 10 15:16:26 UTC 2014
Robert Moskowitz <rgm at htt-consult.com>

On 01/10/2014 09:22 AM, Liam O'Toole wrote:
> On 2014-01-09, Robert Moskowitz <rgm at htt-consult.com> wrote:
>
> (...)
>
>> You want to talk about leaky code?  Look how corporate mail proxies work
>> to enable them to read encrypted emails.  Simple lying about certs.
> That sounds worrying. Could you elaborate, or provide a citation?
>
This is quite common.  We were discussing this at IETF in Nov. Right now 
I forget the law which allows employers complete access to employee 
emails, but as such when the client asks for the recipients cert, the 
server retrieves it, creates a fake one that is presented to the 
client.  The client encrypts the email, and sends it to the server.  The 
server decrypts, stores the content per corporate policy, then encrypts 
with the appropriate cert.  Well actually it is a bit more than that, as 
only the symmetric key is encrypted with the cert's key.  This is old 
stuff for me; I did secure mail a decade ago, and this work around was 
well known then.

Also works well for web clients through the corporate http proxy. 
Actually it is easier for web transactions than email.