Hacker News new | ask | show | jobs
by soitgoes 4749 days ago
Having the root CA's private key doesn't give them access to the end entity's private keys. When you ask a CA for a cert, you only provide them with your public key (in the form of a CSR) for them to sign. The CSR does not contain the private key.
1 comments
mtrimpe 4749 days ago
But getting an employee to hand over the private key and giving him a gag order afterwards is an option of course.
link
pilsetnieks 4746 days ago
https://en.wikipedia.org/wiki/Perfect_forward_secrecy

https://en.wikipedia.org/wiki/ECDHE

Google is using it, a few other sites, too, though they are in the minority. OpenSSL supports it since version 1.0.0 that was released in March 2010.

link
meowface 4748 days ago
True, but they would have to do this for every single web server they would want to collect information from. Not impossible, but it'd be a lot of work.
link