On 1 January 2013 19:04, Keith Medcalf <kmedc...@dessus.com> wrote: > Perhaps Googles other "harvesters" and the government agents they sell or > give user credentials to, don't work against privately (not under the > goverment thumb) encryption keys without the surveillance state expending > significantly more resources. > > Perhaps the cheapest way to solve this is to apply thumbscrews and have > google require the use of co-option freindly keying material by their victims > errr customers errr users.
There is no difference in encryption terms between a certificate signed by an external CA and a certificate signed by itself, in either case only parties with the private key (which you should never send to the CA) can decrypt messages encrypted with that public key. Some CAs will offer to generate a key pair for you instead of managing your own keys, however that merely demonstrates that those CAs (and anyone who uses that service) don't know how the certificates they are issuing are meant to work. If anyone other than the party directly identified by the public key ever gets a copy of the private key then those keys are no longer secure and the certificate should be revoked immediately as it no longer has any meaning*. But if you ignore facts (as most conspiracy theories do) and try to argue it's part of a conspiracy to intercept data - we're talking about hop by hop transport encryption not end to end content encryption, google already have a copy of all the messages going through their service anyway. - Mike * A CA signs to say "we have verified this is google", not "this is either google or their CA or some other random person, well really we don't have a clue who it is but someone gave us money to sign here" - although the latter is probably more accurate in the real world.
