On Sun, Nov 17, 2013 at 3:09 AM, Masataka Ohta <mohta@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Theodore Ts'o wrote:
> Quibbling over numbers doesn't change the the fundamental premise,
> which is that the certificate signing architecture for the web is
> considered by some (including myself), to be pretty badly broken.
To say so, one CA under US legislation or one CA using key
handling hardware made by a company under US legislation
is a lot more than enough.
This discussion really belongs on the PERPASS list.
Remember that as far as the US is concerned, the only is covert surveillance. The NSA is not going to attempt any operation if they believe that the risk of getting caught.
This is why transparency schemes such as CT are interesting.They don't prevent the attack but they deter it by raising the probability of being caught to 1.
One of the reasons that we are in this situation is that the highest levels of the NSA had a very shallow and ignorant understanding of what the Internet is. They only seem to understand defense as a tactical move to protect the ability to attack. Which is probably why they didn't bother to take the rather trivial efforts it would have required to prevent Snowdonia. They certainly have not been doing what they should have and protecting critical infrastructure from attack.
They do understand that it will be at least two Congresses before they have the chance for further increasing their legal authority. We have until 2017 to lock down the net and render any such capabilities moot.
But I think it very likely that by that time the organization of the NSA will be very different.
Website: http://hallambaker.com/