Are there any sources to the procedure how NSL's and other subpoenas /
gag orders could be used to coerce certificate authorities to hand out
their private keys?
My guess is the risk for using root certificate of different company
for MITM is too high: EFF's SSL observatory would detect it. I'm
suprised there has been no leaks about such attacks: It's fairly easy to
mitigate, transparent, long term, and extremely effective, even against
PFS.
Does anyone have guesses or information about how CA's handle their
private keys? Are all certificates they sign for companies done on
airgapped computers? How high are the security standards of these
companies?
Markus
On 25.07.2014 23:13, grarpamp wrote:
---------- Forwarded message ----------
From: John Gilmore <[email protected]>
Date: Thu, Jul 24, 2014 at 8:36 PM
Subject: Re: [Cryptography] hard to trust all those root CAs
To: John Kelsey <[email protected]>
Cc: "[email protected]" <[email protected]>,
"[email protected]" <[email protected]>
> For January, we have not received any Nation Security Letters this
month.
> On the month you receive one, you stop putting such notices out,
and sell t=
he now-useless business.
Yeah, and the judge and prosecutor who get your case will be
helpless before your clever skills at evading them, because they've
never had to deal with literal-minded people trying transparent
dodges to get around the law before.
NSL's don't involve a judge. Nor even a prosecutor. They are an
investigative tactic, used by the FBI (or the FBI proxying for NSA),
long before a prosecutor is usually involved.
The more likely it is that you will disclose a government request for
snitching on your customers, the less likely it is that that request
will ever arrive. Shining sunlight on spook activities is the best
way to make them crawl back into their hole.
You will doubtless enjoy the same success as tax protesters do when
they end up in court. And shortly thereafter, you'll enjoy an
all-expenses-paid vacation with free room and board, courtesy of the
US government.
Chuckle chuckle, just like the headlines about marijuana reform for
decades. First they laugh at you, etc. But the joke doesn't excuse
the iron fist you are trying to invoke to influence people.
Mr. Kelsey, you usually don't fall to this level of "be afraid, the
[government] terrorists are coming" propaganda.
Ladar Levison, Mr. Lavabit, the last guy to do exactly what was
suggested, is still out walking the streets -- and starting new
companies that offer to protect their customers from covert
surveillance. As often occurs, the spooks were less interested in
smashing a guy who's standing up for the rights of the public, than
they were in preventing a detailed public airing of what they were up
to when they ran into him.
John
_______________________________________________
The cryptography mailing list
[email protected]
http://www.metzdowd.com/mailman/listinfo/cryptography
