On Sun, Nov 17, 2013 at 8:03 PM, Masataka Ohta <mohta@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Phillip Hallam-Baker wrote:Open source helps a lot.
> The four most widely used browsers are all produced by US companies.
Not unless you compile your browser from source and verify the source each time you compile. They have demonstrated an ability to hide compromise pretty well.
Anyway, that does not answer my question of:
>> Why do you insist on counting the number of Angels when just one
>> fallen one is a lot more than enough?
> If you posit an attack against the US CAs you must also accept that the NSAIt does not deny my point that PKI is no better than DH.
> could make the same threats against the browser providers which would have
> the same effect with far less risk of being caught and far fewer
> consequences to being caught.
You are conflating the possibility of an attack with the certainty of an attack succeeding.
> If the NSA was to coerce a CA into issuing a false certificate I wouldCould you explain why google, apple, microsoft etc. did not behave so?
> imagine their lawyers would point out to the court that doing so would
> threaten the stability of the entire Internet economy and that if
> discovered the CA would lose its business.
Subpoenaing the software providers and the CAs are two different issues. Google could not credibly claim that its business would be destroyed if PRISM was exposed but Symantec could and would make the claim that they would lose a business unit they paid $1.2 billion for.
Issuing a bogus certificate is a very visible event. The NSA is very risk averse when it comes to actions that are likely to be exposed.
Website: http://hallambaker.com/