On Tue, Jun 11, 2013 at 12:27 PM, John Shaver <[email protected]> wrote: > Sorry, you misunderstood me. If I have a cert with them as the CA, they do > not have my private key to hand over to the government. They certainly > have their own private key...
Oh, totally right. The government couldn't decrypt your SSL session directly. But they could masquerade as you to another user using their own certificate and a main-in-the-middle attack, get the user to reveal their password, and any other data. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
