[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Feds put heat on Web firms for master encryption keys



On 07/25/2013 02:19 AM, Eugen Leitl wrote:
>
> (See also https://en.wikipedia.org/wiki/Convergence_(SSL) )
>
Convergence is an interesting idea, but I'm not sure how it addresses
the issue in the article. Convergence is designed to deal with
shortcomings of certificate authorities (by providing what Moxie calls
"trust agility," the ability to change who you trust to confirm public
keys). The problem is companies are sharing their private keys. If they
do this, how you get their public key is irrelevant - the content you
send them is accessible by a third party and the content you receive
from them can be tampered with.

Also, Convergence hasn't been updated in over a year and is full of
bugs. I don't think it even works on recent Firefox versions at all (at
least, the official git repo doesn't).