On Mon, Oct 21, 2013 at 11:57 PM, coderman <coderman@gmail.com> wrote:
On Mon, Oct 21, 2013 at 8:09 PM, Kyle Maxwell <kylem@xwell.org> wrote:
... So how do you propose that a provider perform SSL without keeping their private cert?
// Kelly John Rose wrote: // Put the server into the hands of a third party outside of the US. Have // that 3rd party have total and absolute rights to the SSL root // certificate and your party to not have any capacity to force said party Piratebay is an example of some international jurisdictional issues. So is the US waving down South American planes over Europe. Without a wiki containing a well documented matrix of jurisdictional policy and case history, be careful what you trust to such means.
change it every day. i know every CA i've used allows unlimited re-issue once purchased. every time you hand it over, change it. enforce forward secrecy, allow no non-forward secret suites. this is critical.
Why per service certs for transport? Why not per user certs/keys? Stick them in LDAP, service sign them for service authenticity, enhance daemons to lookup. Though securely figuring out which user cert to check for / use with each inbound service connection might still be a problem.
...they will however treat this as contempt of court - the escalation would be infinitely interesting!
fuck this bullshit, i can't convey my contempt for this practice (private keys via pen/trap register order) enough...
If lavabit is the case, we'll probably know in a year or two.