search for: law_

...unknown participants cannot be a "Certificate Authority" in its true sense. This is why you should see "Let's Encrypt" simply as a cheap way to fake security. It is a US entity, which means it _must_ hand out all necessary keys to fake certificates to the US authorities _by law_. Now probably you can imagine why they are giving the certificates out for free. US authorities can compromise all of them - without any "open knowledge". It would be dead easy to prevent this fake for the guys at mozilla or google (for the web), but they don't. All that is needed is...

...ipants cannot be a "Certificate Authority" in its > true sense. This is why you should see "Let's Encrypt" simply as a cheap way > to fake security. It is a US entity, which means it _must_ hand out all > necessary keys to fake certificates to the US authorities _by law_. > Now probably you can imagine why they are giving the certificates out for > free. US authorities can compromise all of them - without any "open knowledge". Wow, you packed a lot of fear, uncertainty and doubt (and some misinformation) into one paragraph.? I'll leave it at th...

...e a "Certificate Authority" in its > > true sense. This is why you should see "Let's Encrypt" simply as a cheap > > way to fake security. It is a US entity, which means it _must_ hand out all > > necessary keys to fake certificates to the US authorities _by law_. > > Certificate authorities, including Let's Encrypt, operate on Certificate > Signing Requests, not Private Keys. Some CAs do offer private key > generation in their services for the user's convenience, but it is not > recommended (obviously) and in no way required....

...ipants cannot be a "Certificate Authority" in its > true sense. This is why you should see "Let's Encrypt" simply as a cheap way > to fake security. It is a US entity, which means it _must_ hand out all > necessary keys to fake certificates to the US authorities _by law_. Certificate authorities, including Let's Encrypt, operate on Certificate Signing Requests, not Private Keys. Some CAs do offer private key generation in their services for the user's convenience, but it is not recommended (obviously) and in no way required. Getting a CA to sign a CS...

...ipants cannot be a "Certificate Authority" in its > true sense. This is why you should see "Let's Encrypt" simply as a cheap way > to fake security. It is a US entity, which means it _must_ hand out all > necessary keys to fake certificates to the US authorities _by law_. > Now probably you can imagine why they are giving the certificates out for > free. US authorities can compromise all of them - without any "open knowledge". Wow, you packed a lot of fear, uncertainty and doubt (and some misinformation) into one paragraph. I'll leave it at th...

...t be a "Certificate Authority" in its >> true sense. This is why you should see "Let's Encrypt" simply as a cheap way >> to fake security. It is a US entity, which means it _must_ hand out all >> necessary keys to fake certificates to the US authorities _by law_. >> Now probably you can imagine why they are giving the certificates out for >> free. US authorities can compromise all of them - without any "open knowledge". > > Wow, you packed a lot of fear, uncertainty and doubt (and some > misinformation) into one paragraph.?...

...ficate Authority" in its > > > true sense. This is why you should see "Let's Encrypt" simply as a cheap > > > way to fake security. It is a US entity, which means it _must_ hand out all > > > necessary keys to fake certificates to the US authorities _by law_. > > > > Certificate authorities, including Let's Encrypt, operate on Certificate > > Signing Requests, not Private Keys. Some CAs do offer private key > > generation in their services for the user's convenience, but it is not > > recommended (obviously)...

Excuse dopey question. I'm not exactly clear about certificates. Apache2 default install has this snake oil certificate Can make a new one for apache Can make one for dovecot Can make one for ssl Is there supposed to be the one (self signed ) certificate pair in one place for the machine that each process hands out ? Can they be moved to another machine ? mick -- Key ID C7D6E24C