Author: Mike Hearn 2013-10-28 13:21:07
Published on: 2013-10-28T13:21:07+00:00
In an email dated October 28, 2013, Adam Back expressed his opinion on payment protocols and PGP signing. He mentioned that many topics related to payment protocol were discussed a year ago when it was first being designed. According to him, the right way to tackle governments getting bogus certs issued is certificate transparency, and all other suggestions tend to boil down to "handwaving" that does not solve the problem. Back stated that the evidence from the Snowden case reinforces the strength of the CA system, and we did not see stories about bulk usage of fake certificates. Back argued that the increased usage of SSL was a game-changer for intelligence agencies. They compile databases of private keys they obtain in various ways to solve SSL. When the FBI wanted access to LavaBit, they tried to obtain their private keys rather than push a convenient "give me a fake cert" button. When Lavabit had to hand over its key, GoDaddy revoked its certificate because industry policies forced their hand, which doesn't have a get-out clause for the FBI. Back acknowledged that government-issued fake certs are floating about somewhere due to the scale of hacking. However, he stated that demanding perfection in a system that handles security for over a billion people and tens of millions of operators is unreasonable. He suggested that all we can ask for is that the system is being improved, which initiatives like cert transparency aim to do. Back concluded by asking to call time on discussions as they long ago ceased to have any value.
Updated on: 2023-06-07T18:46:31.515936+00:00