[cryptography] what has the NSA broken?

Alan Braggins alan.braggins at gmail.com
Sat Sep 7 05:05:30 EDT 2013


On 06/09/13 14:58, Ralph Holz wrote:
> On 09/06/2013 07:12 AM, James A. Donald wrote:
>> Most private keys are issued by, not merely certified by, the CAs.
>
> Can you give numerical evidence for this claim?

I was also thinking "[citation required]".


> The CAs I work with - StartSSL and DFN - either allow to send CSRs or
> use the HTML keygen method. I'd be surprised if a majority of CAs
> insisted on generating the key for you.

Thawte for example says "Thawte does not have access to your Private
Key. It is generated locally on your server and is never transmitted to
Thawte."

Lots of instructions on how to generate a CSR on your server,
no links to "we'll do it for you" option:

http://www.instantssl.com/ssl-certificate-support/csr_generation/ssl-certificate-index.html
http://www.digicert.com/csr-creation.htm?rid=011592
https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO6506&actp=search&viewlocale=en_US&searchid=1270237704682
https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=AR1108
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR235



More information about the cryptography mailing list