Personal Cloud (was: Did Ed Snowden do the right thing?)

Lonnie Olson lists at kittypee.com
Tue Jun 11 12:06:14 MDT 2013


On Tue, Jun 11, 2013 at 11:17 AM, John Shaver <bobjohnbob at gmail.com> wrote:
> My understanding is that verisign doesn't have private keys, only public
> keys.
>
> However having the CA private key does allow for sophisticated man in the
> middle attacks.  This can be circumvented by verifying the key signature,
> rather than just trusting the CA, but then, I guess, what is the point of
> even using SSL?
>
> Is there a distributed alternative that allows people to verify that the
> public key they receive is actually yours?

Verisign absolutely does have private keys for their CAs.  They have
to use them every time they sign a new certificate.

Jessie was just saying that the government probably coerced Verisign
into signing certificates for the government with names that match
popular web services like Google, Microsoft, etc.  Which would allow
the government to masquerade as these services via MITM attacks. I
personally doubt that this has occurred for several reasons: 1.
Verisign (and most other CAs) entire business depends on trust, and
their business would fall apart if this practice was ever discovered
(eg. DigiNotar).  2. It is much easier technically and legally
acceptable to simply subpoena the information at rest in certain
service providers like Google, Facebook, etc.

Our current CA system is already partially distributed.  You generally
trust several CAs to dutifully check the identity of every certificate
before signing.  This entire system is based on trusting a list of
organizations to perform these duties well.  The default list of CAs
that come in browsers do contain a lot of CAs, some which you
personally might not trust, but in general the browser makers do
remove CAs when they become corrupt and/or compromised.  Also, every
browser makes it possible to add or remove any CAs you wish, though
few people do.

There is actually already work in progress in replacing this
semi-distributed trust silo mechanism with something safer.
Convergence http://convergence.io/  Take a look, it can be used now
with browser addons.


More information about the PLUG mailing list