CryptoSeal shutters, ala: LavaBit
grarpamp
grarpamp at gmail.com
Tue Oct 22 22:52:37 PDT 2013
On Mon, Oct 21, 2013 at 11:57 PM, coderman <coderman at gmail.com> wrote:
> On Mon, Oct 21, 2013 at 8:09 PM, Kyle Maxwell <kylem at xwell.org> wrote:
>> ...
>> So how do you propose that a provider perform SSL without keeping
>> their private cert?
// Kelly John Rose wrote:
// Put the server into the hands of a third party outside of the US. Have
// that 3rd party have total and absolute rights to the SSL root
// certificate and your party to not have any capacity to force said party
Piratebay is an example of some international jurisdictional issues.
So is the US waving down South American planes over Europe.
Without a wiki containing a well documented matrix of jurisdictional
policy and case history, be careful what you trust to such means.
> change it every day. i know every CA i've used allows unlimited
> re-issue once purchased.
> every time you hand it over, change it.
> enforce forward secrecy, allow no non-forward secret suites. this is critical.
Why per service certs for transport? Why not per user certs/keys?
Stick them in LDAP, service sign them for service authenticity,
enhance daemons to lookup. Though securely figuring out which user cert
to check for / use with each inbound service connection might still be a
problem.
> ...they will however treat this as contempt of court - the escalation
> would be infinitely interesting!
>
> fuck this bullshit, i can't convey my contempt for this practice
> (private keys via pen/trap register order) enough...
If lavabit is the case, we'll probably know in a year or two.
More information about the cypherpunks
mailing list