[jancsika]

> The rogue CA would need to perform a classical MiTM as all the other mortals do, having access to the signing keys does not give you special MiTM powers, other than when you actually are able to conduct a MiTM through other means, you'll have valid certs to intercept the connection.

But this thread is operating under the thought experiment that the NSA already owns LetsEncrypt. And in reality-- at least according to the Snowden leaks-- NSA currently has classical MiTM capabilities. (Can't remember which program it was that was using some node between the user and the desired server to send back a forged response that would almost always beat the server to the punch.)

So in this thought experiment there are only two pieces of Triforce and NSA has them both.

[schoen]

> (Can't remember which program it was that was using some node between the user and the desired server to send back a forged response that would almost always beat the server to the punch.)

These were called QUANTUM (with various sub-projects related to specific applications of that capability).

[Ajedi32]

The point is that the NSA doesn't need to own Let's Encrypt to do that; they could use literally _any_ certificate authority.

Also there _is_ a third piece of the triforce; certificate transparency logs; and those would be very difficult to compromise without the certificate transparency monitors noticing.