On 06/15/2013 05:48 PM, rupert THURNER wrote:
the conclusion is also interesting:
when a company that uses a certificate authority located in a
country different than the one in which it holds user data, it
needlessly exposes users’ data to the compelled disclosure by an
additional government.
so, by getting the certificates from digicert, the traffic can easier
be snooped by the u.s. government. and only u.s. citizens are
protected by u.s. law. this gives a lot of trust :)
Your quote ("when a company that uses a certificate authority located in
a country different than the one in which it holds user data") warns of
what happens when you use a *foreign* (not the same as where the servers
are) cert. Wikimedia uses DigiCert, a provider in the same country,
exactly what that recommends.
Your statement that "the traffic can easier be snooped by the u.s.
government" is false. If Wikimedia received a secret U.S. court order
to turn over certain data, the certificate would make no difference,
since the headquarters and servers are already in the U.S.
But using a U.S. provider reduces the WMF's vulnerability to additional
governments.
Matt Flaschen