[cryptography] *.google.com certificate issued by DigiNotar

Seth David Schoen schoen at loyalty.org
Fri Sep 2 14:54:33 EDT 2011


Marsh Ray writes:

> Why would they need to?
> 
> What's the difference between a private key in the wild and a pwned
> CA that, even months after a breakin and audit, doesn't revoke or
> even know what it signed?
> 
> (This is a serious question)

The pwned CA leaves evidence that other people can potentially discover
or collect.  It also means that an individual user who knows what
public-key cryptography is can potentially do something to determine
whether an alleged key is valid.

-- 
Seth David Schoen <schoen at loyalty.org>      |  No haiku patents
     http://www.loyalty.org/~schoen/        |  means I've no incentive to
  FD9A6AA28193A9F03D4BF4ADC11B36DC9C7DD150  |        -- Don Marti



More information about the cryptography mailing list