Hacker News new | past | comments | ask | show | jobs | submit login

There is just so much more to public key crypto than public web SSL/TLS.

This is what I was thinking.

This sounds more like certificates are broken than public key crypto.

Yes they can come to me for my private key, but that's a different issue, then at least they're coming to me and not going to some intermediary "trusted party".

If certificates are broken then public key crypto is broken, because a trusted third-party certificate is necessary to prevent man-in-the-middle attacks, no?

No. The trust model of HTTPS was always broken from the start. This whole story "only" reinforces the point that key distribution and management is hard, and a central list of certificate authorities is not a good solution.

This story has exactly zero effects if you use some public-key system with different key management.

On the negative side, good systems don't really exist. On the plus side, this story might help push the development of good systems.

And the feds can demand the keys to those other things too :P

Yes, that's true, but there is a big difference between you being responsible for (not) handing over something that is in your possession and being unaware of a presumed safe channel being unsafe.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact