Personal Cloud (was: Did Ed Snowden do the right thing?)

John Shaver bobjohnbob at gmail.com
Tue Jun 11 12:27:26 MDT 2013


Sorry, you misunderstood me.  If I have a cert with them as the CA, they do
not have my private key to hand over to the government.  They certainly
have their own private key...
 On Jun 11, 2013 12:06 PM, "Lonnie Olson" <lists at kittypee.com> wrote:

> On Tue, Jun 11, 2013 at 11:17 AM, John Shaver <bobjohnbob at gmail.com>
> wrote:
> > My understanding is that verisign doesn't have private keys, only public
> > keys.
> >
> > However having the CA private key does allow for sophisticated man in the
> > middle attacks.  This can be circumvented by verifying the key signature,
> > rather than just trusting the CA, but then, I guess, what is the point of
> > even using SSL?
> >
> > Is there a distributed alternative that allows people to verify that the
> > public key they receive is actually yours?
>
> Verisign absolutely does have private keys for their CAs.  They have
> to use them every time they sign a new certificate.
>
> Jessie was just saying that the government probably coerced Verisign
> into signing certificates for the government with names that match
> popular web services like Google, Microsoft, etc.  Which would allow
> the government to masquerade as these services via MITM attacks. I
> personally doubt that this has occurred for several reasons: 1.
> Verisign (and most other CAs) entire business depends on trust, and
> their business would fall apart if this practice was ever discovered
> (eg. DigiNotar).  2. It is much easier technically and legally
> acceptable to simply subpoena the information at rest in certain
> service providers like Google, Facebook, etc.
>
> Our current CA system is already partially distributed.  You generally
> trust several CAs to dutifully check the identity of every certificate
> before signing.  This entire system is based on trusting a list of
> organizations to perform these duties well.  The default list of CAs
> that come in browsers do contain a lot of CAs, some which you
> personally might not trust, but in general the browser makers do
> remove CAs when they become corrupt and/or compromised.  Also, every
> browser makes it possible to add or remove any CAs you wish, though
> few people do.
>
> There is actually already work in progress in replacing this
> semi-distributed trust silo mechanism with something safer.
> Convergence http://convergence.io/  Take a look, it can be used now
> with browser addons.
>
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */
>


More information about the PLUG mailing list