On Thu, Aug 1, 2013 at 4:28 AM, Anthony <wikimail(a)inbox.org> wrote:
On Wed, Jul 31, 2013 at 5:59 PM, George Herbert
<george.herbert(a)gmail.com>wrote;wrote:
The second is site key security (ensuring the NSA
never gets your private
keys).
Who theoretically has access to the private keys (and/or the signing key)
right now?
The roots.
https://meta.wikimedia.org/wiki/Sysadmins#List (was out of
date last time I overhauled it, maybe it's being updated more
regularly now)
The third is
perfect forward security with rapid key rotation.
Does rapid key rotation in any way make a MITM attack less detectable?
Presumably the NSA would have no problem getting a fraudulent certificate
signed by DigiCert.
I'm not seeing the relevance. And we have the SSL observatory (EFF) fwiw.
We (society, standards making bodies, etc.) need to do more to reform
the current SSL mafia system. (i.e. it should be easier for a vendor
to remove a CA from a root store and we shouldn't have a situation
where many dozens of orgs all have the ability to sign certs valid for
any domain.)
I'm not sure how much we (Wikimedia) can do about that though.
-Jeremy