Hacker News new | ask | show | jobs
by wulfstan 425 days ago
I don't accept that. We have "master keys" for some forms of encryption right now in the form of root certificates; knowing that root cert authorities could issue certificates that might allow people to sniff my network traffic doesn't keep me awake at night.
2 comments
ziddoap 425 days ago
To reduce any risks, almost everything PKI-related is conducted in public, is auditable by anyone, and is a cooperation between dozens of distinct entities located globally.

This is not analogous to a single government having non-transparent, non-auditable access to decrypt communications of its own citizens.

link
wulfstan 425 days ago
Then setup the system to be more analogous. Make the publication of key issuance under this mechanism public after a period of time.

Again, I see us falling back into an "all or nothing" view of privacy and I just don't think those are the only options.

link
ziddoap 425 days ago
>Then setup the system to be more analogous. Make the publication of key issuance under this mechanism public after a period of time.

That (somewhat, barely) addresses one of ~dozen issues with the proposal.

>Again, I see us falling back into an "all or nothing" view of privacy

Not to be too pedantic, but I think the distinction between privacy and encryption is incredibly important: almost everyone agrees that privacy is a gradient. The disagreement is whether or not encryption can be a gradient. Most people do not think it can reasonably be without undermining ~everything relying on it.

link
wulfstan 425 days ago
I get the hostility towards it - as I've said elsewhere, it's practically an article of faith in our community that strong encryption == unalloyed good. And clearly it needs a lot of thinking to address potential abuse. But we've done it for other things.

> Not to be too pedantic, but I think the distinction between privacy and encryption is incredibly important: almost everyone agrees that privacy is a gradient. The disagreement is whether or not encryption can be a gradient. Most people do not think it can reasonably be without undermining ~everything relying on it.

That is a fair criticism. I would answer that by saying that encryption is just a technology, and you can employ it in very flexible ways (including e.g. n-of-m style keys) which if thought through well and legislated carefully could give the authorities more reasonable access to data when it is legally warranted.

link
01HNNWZ0MV43FF 425 days ago
Not really. You can get around with pinning public keys like IoT devices and Tor and i2p do

A proposal to backdoor all cryptography is worse than having pki as a think we opt in to for the sake of convenience

link