On 04 Jun 2023, Phigan said the following...
Ph> systems and browsers, the ones we trust. It's technically possible for
Ph> any of them to have master keys to the certificates they generate and
Ph> sign, but as the response in the link says, it's highly unlikely they
Ph> would go using those willy nilly.

no, that is not the case at all.

you send a CSR and the public key to the CA. that's it. there is no "master key". the CA's only purpose and capability is to validate the owner of a public key. they are incapable of decrypting anything.

now, lets say the kitchensync.net bbs has a certificate/public/private key they use. i can encrypt stuff all day long with the public key (in the
certificate) and nobody but that bbs would ever be able to see it. remember the CA doesn't have the private key.

now, if a shitty CA decides to sign a certificate for kitchensync.net with a different public key, that's an entirely different thing. since suddenly someone else can pretend to be them, and they have a separate private key that can decrypt data encrypted with the fake certificate. but in no way does this mean that the real certificate or private key are no longer secure. you
can't decrypt stuff from the original with the new ones.

--- Mystic BBS v1.12 A47 2021/12/25 (Windows/32)
* Origin: cold fusion - cfbbs.net - grand rapids, mi

Re: Re: tailscale ..impressive
By: fusion to Phigan on Mon Jun 05 2023 05:14 am

> you send a CSR and the public key to the CA. that's it. there is no "master
> key". the CA's only purpose and capability is to validate the owner of a
> public key. they are incapable of decrypting anything.

That's when you're the one generating the cert request. What if some application or service is doing it for you? My point is more for messaging and other communication apps that tout "end to end encryption" vs SSL used for HTTPS.

---
■ Synchronet ■ TIRED of waiting 2 hours for a taco? GO TO TACOPRONTO.bbs.io