On Wed, Jul 31, 2013 at 9:28 PM, Anthony <wikimail(a)inbox.org> wrote:
On Wed, Jul 31, 2013 at 5:59 PM, George Herbert
<george.herbert(a)gmail.com
wrote:
The second is site key security (ensuring the NSA
never gets your private
keys).
Who theoretically has access to the private keys (and/or the signing key)
right now?
People who have root at Wikimedia, which is Wikimedia's operations team and
a few of the developers.
The third is perfect forward security with rapid key
rotation.
Does rapid key rotation in any way make a MITM attack less detectable?
Presumably the NSA would have no problem getting a fraudulent certificate
signed by DigiCert.
SSL Observatory would likely pick that up if it was done in any large
scale. It's less detectable when done in a targeted way, but if that's the
case, the person being targeted is already pretty screwed and we wouldn't
likely be the site targeted.
- Ryan