

Design thoughts on next-gen PKI for better privacy - einhverfr
http://ledgersmbdev.blogspot.com/2013/06/tangent-design-thougths-about-next-gen.html

======
agwa
> An attack on a root ca can no longer reveal keys useful in eavesdropping on
> key exchange, but it could reveal keys useful for carrying out a man in the
> middle attack

This is already the case - if you compromise a CA you can sign certificates
for any domain you'd like, enabling you to pull off active MitM attacks, but
you can't passively eavesdrop anything. Private keys are not registered with
CAs; rather, public keys are submitted to get signed.

While the CA system majorly sucks, and needs to be fixed, I don't think it's
the answer to mass surveillance, at least in the US. Even if the NSA could
sign any certificate they wanted, it seems extremely difficult to pull off
active MitM attacks for every connection across the entire Internet. An easier
approach is to attack the endpoints (Google, Facebook, etc.) which they're
allegedly already doing with PRISM. SSL/TLS can't protect against that.

~~~
einhverfr
The point is that with a multi-level system, where the CA issuing the
certificate is internal to the target, and where certificates are tracked over
time, you can detect what I call a divergence of timelines, i.e. a disruption
of key possession.

------
einhverfr
I figure who better to ask for design feedback and to help discuss the
technical details than the HN folks ;-) The basic idea is to create a a PKI
which provides stable authentication across time as well as at a specific
moment so that even if you manage to step into the middle you can't remove
your surveillance without raising an alert.

------
gasull
Doesn't a system like Tor prevent MITM attacks as long as you connect only to
.onion sites? Isn't this solved too in I2P and Freenet?

Maybe the Web isn't the right tool because everything is in the open.

------
moxie
You might be interested in TACK: [http://tack.io](http://tack.io)

