[cryptography] Math corrections
marsh at extendedsubset.com
Sun Sep 18 17:11:27 EDT 2011
On 09/18/2011 03:30 PM, Benjamin Kreuter wrote:
> To put it another way, governments like having the power to wiretap
> criminals, and they want their law enforcement agencies to be able to
> perform MITM attacks as part of that wiretapping power. Why would we
> trust the group of people who want to have the ability to perform MITM
> attacks to certify a system that is designed to prevent MITM attacks?
A. We'll need everybody on board to get something better in place.
B. If your threat model considers as an adversary government A, then
you're in good company with governments B through Z. So all the comments
on "won't save you from The Government", while true, are also
potentially writing off your biggest ally.
C. At the end of the day, governments need to log into their VPNs and
check their MS Outlook Web Access email remotely just like everybody
else. Now consider that this applies to process engineers at power
plants and chemical facilities too. When you hear US DHS people talking
about "national infrastructure vulnerable to cyber attack" they are
sincerely concerned about this type of exposure.
At some point, the influence of people on the defense side will outweigh
those who benefit from the attack side.
Now that the cat's out of the bag about PKI in general and there's an
Iranian guy issuing to himself certs for www.*.gov seemingly at will, I
think the current PKI system will not escape the black hole at this
point, it crossed the event horizon sometime earlier this year.
More information about the cryptography