[cryptography] Math corrections

Marsh Ray marsh at extendedsubset.com
Sun Sep 18 17:11:27 EDT 2011


On 09/18/2011 03:30 PM, Benjamin Kreuter wrote:
>
> To put it another way, governments like having the power to wiretap
> criminals, and they want their law enforcement agencies to be able to
> perform MITM attacks as part of that wiretapping power.  Why would we
> trust the group of people who want to have the ability to perform MITM
> attacks to certify a system that is designed to prevent MITM attacks?

A. We'll need everybody on board to get something better in place.

B. If your threat model considers as an adversary government A, then 
you're in good company with governments B through Z. So all the comments 
on "won't save you from The Government", while true, are also 
potentially writing off your biggest ally.

C. At the end of the day, governments need to log into their VPNs and 
check their MS Outlook Web Access email remotely just like everybody 
else. Now consider that this applies to process engineers at power 
plants and chemical facilities too. When you hear US DHS people talking 
about "national infrastructure vulnerable to cyber attack" they are 
sincerely concerned about this type of exposure.

At some point, the influence of people on the defense side will outweigh 
those who benefit from the attack side.

Now that the cat's out of the bag about PKI in general and there's an 
Iranian guy issuing to himself certs for www.*.gov seemingly at will, I 
think the current PKI system will not escape the black hole at this 
point, it crossed the event horizon sometime earlier this year.

- Marsh



More information about the cryptography mailing list