On 04 Jun 2023, Phigan said the following...
Ph> systems and browsers, the ones we trust. It's technically possible for
Ph> any of them to have master keys to the certificates they generate and sign,
Ph> but as the response in the link says, it's highly unlikely they would go
Ph> using those willy nilly.
no, that is not the case at all.
you send a CSR and the public key to the CA. that's it. there is no "master
key". the CA's only purpose and capability is to validate the owner of a public
key. they are incapable of decrypting anything.
now, lets say the kitchensync.net bbs has a certificate/public/private key they
use. i can encrypt stuff all day long with the public key (in the
certificate) and nobody but that bbs would ever be able to see it. remember the
CA doesn't have the private key.
now, if a shitty CA decides to sign a certificate for kitchensync.net with a
different public key, that's an entirely different thing. since suddenly someone
else can pretend to be them, and they have a separate private key that can
decrypt data encrypted with the fake certificate. but in no way does this mean
that the real certificate or private key are no longer secure. you
can't decrypt stuff from the original with the new ones.
--- Mystic BBS v1.12 A47 2021/12/25 (Windows/32)
* Origin: cold fusion - cfbbs.net - grand rapids, mi
|
