Buying and selling root certificates

Scott Francis darkuncle at darkuncle.net
Thu Apr 29 05:21:08 UTC 2004


On Thu, Apr 29, 2004 at 12:02:44AM -0500, stephen at sprunk.org said:
> 
> Thus spake "Robert E. Seastrom" <rs at seastrom.com>
> > Most of us who are willing to opportunistically do STARTTLS are using
> > self-signed certificates anyway.  We do this for many reasons; chief
> > among the reasons I do so are:
> >
> >    1) More encrypted traffic running around the Internet is a _good thing_
> 
> This is an oft-overlooked angle...  If only sensitive information is
> encrypted, then the mere use of encryption makes one a target -- one buys a
> safe only if they have valuables to protect, right?  However, if every home
> came with a safe, how would burglars figure out who to rob?
> 
> The feds clearly have the power to get through or around encryption
> suspected criminals are using: the FBI reports that there have been _zero_
> cases nationwide over the past several years where the use of encryption has
> prevented them or other agencies from obtaining the evidence needed, even
> when "secure" tools like PGP, SSL, or IPsec are used.
<snip>

That assumes the FBI can be trusted to be honest about cases where encryption
successfully foiled their investigations. It is in their best interest, after
all, to have everyone, criminals included, think encryption is not worth
using (_especially_ if it is). :)

OTOH, the average criminal is probably about as smart as the average user,
which means the FBI wouldn't have to break the crypto, when they could just
guess the criminal's passphrase/password with a minimum of effort ...

(that said, I absolutely agree that more crypto everywhere, for both
important and trivial traffic, is essential to reducing the "unusual" nature
of such traffic. Crypto should be the default, not the exception.)
</wishful thinking>
-- 
       Scott Francis | darkuncle(at)darkuncle(dot)net | 0x5537F527
                        Less and less is done
                     until non-action is achieved
             when nothing is done, nothing is left undone.
                                    -- the Tao of Sysadmin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20040428/a790ed90/attachment.sig>


More information about the NANOG mailing list