Fwd: [Cryptography] hard to trust all those root CAs

oottela oottela at cs.helsinki.fi
Sat Jul 26 01:32:26 PDT 2014 

Are there any sources to the procedure how NSL's and other subpoenas / 
gag orders could be used to coerce certificate authorities to hand out 
their private keys?

My guess is the risk for using root certificate of different company 
for MITM is too high: EFF's SSL observatory would detect it. I'm 
suprised there has been no leaks about such attacks: It's fairly easy to 
mitigate, transparent, long term, and  extremely effective, even against 
PFS.

Does anyone have guesses or information about how CA's handle their 
private keys? Are all certificates they sign for companies done on 
airgapped computers? How high are the security standards of these 
companies?

Markus



On 25.07.2014 23:13, grarpamp wrote:
> ---------- Forwarded message ----------
> From: John Gilmore <gnu at toad.com>
> Date: Thu, Jul 24, 2014 at 8:36 PM
> Subject: Re: [Cryptography] hard to trust all those root CAs
> To: John Kelsey <crypto.jmk at gmail.com>
> Cc: "justgold79 at gmail.com" <justgold79 at gmail.com>,
> "cryptography at metzdowd.com" <cryptography at metzdowd.com>
>
>
>> > For January, we have not received any Nation Security Letters this 
>> month.
>> > On the month you receive one, you stop putting such notices out, 
>> and sell t=
>> he now-useless business.
>
>> Yeah, and the judge and prosecutor who get your case will be
>> helpless before your clever skills at evading them, because they've
>> never had to deal with literal-minded people trying transparent
>> dodges to get around the law before.
>
> NSL's don't involve a judge.  Nor even a prosecutor.  They are an
> investigative tactic, used by the FBI (or the FBI proxying for NSA),
> long before a prosecutor is usually involved.
>
> The more likely it is that you will disclose a government request for
> snitching on your customers, the less likely it is that that request
> will ever arrive.  Shining sunlight on spook activities is the best
> way to make them crawl back into their hole.
>
>> You will doubtless enjoy the same success as tax protesters do when
>> they end up in court.  And shortly thereafter, you'll enjoy an
>> all-expenses-paid vacation with free room and board, courtesy of the
>> US government.
>
> Chuckle chuckle, just like the headlines about marijuana reform for
> decades.  First they laugh at you, etc.  But the joke doesn't excuse
> the iron fist you are trying to invoke to influence people.
> Mr. Kelsey, you usually don't fall to this level of "be afraid, the
> [government] terrorists are coming" propaganda.
>
> Ladar Levison, Mr. Lavabit, the last guy to do exactly what was
> suggested, is still out walking the streets -- and starting new
> companies that offer to protect their customers from covert
> surveillance.  As often occurs, the spooks were less interested in
> smashing a guy who's standing up for the rights of the public, than
> they were in preventing a detailed public airing of what they were up
> to when they ran into him.
>
>         John
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography

More information about the cypherpunks mailing list