My understanding is that verisign doesn't have private keys, only public keys.
However having the CA private key does allow for sophisticated man in the middle attacks. This can be circumvented by verifying the key signature, rather than just trusting the CA, but then, I guess, what is the point of even using SSL? Is there a distributed alternative that allows people to verify that the public key they receive is actually yours? -John On Tue, Jun 11, 2013 at 10:55 AM, Jessie A. Morris <[email protected] > wrote: > On Tuesday, June 11, 2013 10:53:12 Lonnie Olson wrote: > > Not really, this idea won't get you much farther. Sure your data at > > rest is safe from the US, but your data in transit is not. And guess > > what? Unless you only use sneakernet, your data has to be in transit > > at some time, and most of the time it will cross the US. > > Encryption exists. If you're using the right encryption, it doesn't matter. > Unless you're assuming the NSA has backdoors into all the crypto methods, > too, > that is. > > And I'm not talking about SSL. SLL is broken due to the Certificate > Authority > problems. If the Government has access to Google, Facebooks, etc. data, you > can guarantee that they have coerced Verisign to give them a certificate or > two. > -- > Jessie A. Morris > 801-210-1526 > [email protected] > > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ > /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
