On Wed, Feb 23, 2011 at 9:21 AM, Olivier Mehani <sht...@ssji.net> wrote: > Just some OT thoughts. > > On Wed, Feb 23, 2011 at 07:35:19AM -0600, Chris Bennett wrote: >> CA's cannot be trusted to even pay attention to carefully securing >> your certificate. B Here in the US, the government can simply ask for >> your certificate and get it ( and possibly even use it to impersonate >> you) > > The government would have the certificate, but not the private key, so > I'm not sure how they can impersonate you with it.
it's a little more detailed than that they gov could say revoke his cert on the crl, and assign the next iteration to me with my arbitrary req generated with my arbitrary key at that point it would not matter if they don't have *his* private key if he controls the ca, then the gov/whoever is forced to do true mitm the big problem with the first is that chances are that your ca company is american/european (no bullet proof host), and they will give in like paypal wrt wikileaks > > However, they can just get their own key to *any* shoddy CA included in > browsers, and get a certificate linking that key to your services > without much problem. > > The problem is not really whether there is a trust relationship between > your CA provider and you, it's whether at least *one* CA is laxist > enough that they give out certificates without thorough checking. > > Even with your self-signed approach, somebody could get a CA to issue a > certificate that their key is good for your website, and impersonate it > to any of your new-coming customers who haven't been exposed to your > official key yet. > > I may also be wrong in my analysis, but as far as my understanding goes, > it's correct. > > -- > Olivier Mehani <sht...@ssji.net> > PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE B F5F9 F012 A6E2 98C6 6655 > > [demime 1.01d removed an attachment of type application/pgp-signature]
