alt Hacker NewsThey have the secret of the private keys used to sign certificates.
Looking at LavaBit^1 I really would not be so comfortable. The world and especially the US has not gotten more free since then.
They have the secret of the private keys used to sign certificates.
Looking at LavaBit^1 I really would not be so comfortable. The world and especially the US has not gotten more free since then.
They could mint certificates, for / about any name. But, those certificates won't work in popular applications unless the certificates include proof of logging.
So to be effective this means a hypothetical bad actor (maybe the US government or anybody else) issues bogus certificates, then either logs them - making a permanent record for everybody to see, or also subverts two or more logs, so that they issue bogus proofs.
This is a very expensive one shot attack on whatever the target would be, I guess it's not stupider than "Let's bomb Iran for no good reason" but it's up there.