Hacker News new | past | comments | ask | show | jobs | submit login

> Or I could subscribe to feeds from other entities I trust, like the EFF.

How would you validate that the EFF's feed is actually from the EFF? Assuming we're using existing SSL infrastructure, the browser would first need to trust the CA used by the EFF, which means we need an initial set of trusted CAs.




> which means we need an initial set of trusted CAs.

How would you validate that the initial set of trusted CA roots is actually from those CAs?


It ships with your operating system, which you physically obtain from another computer (with hardware like a USB drive or via internal network).


But how to trust that this other computer has a good set of CAs?


How can you know your signing software is not backdoored? How can you know you're not living in a computer simulation?


Well, I'm certain my eyes are real so I am certainly not living in a computer simulation.


"If real is what you can feel, smell, taste and see, then 'real' is simply electrical signals interpreted by your brain." -Morpheus, The Matrix

(finally, finally there's a use for that quote!)


How Can Our CA Roots Be Real If Our Eyes Aren't Real

https://twitter.com/officialjaden/status/329768040235413504?...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: