On 04 Jun 2023, Phigan said the following...
systems and browsers, the ones we trust. It's technically possible for
any of them to have master keys to the certificates they generate and sign, but as the response in the link says, it's highly unlikely they would go using those willy nilly.
no, that is not the case at all.
you send a CSR and the public key to the CA. that's it. there is no "master key". the CA's only purpose and capability is to validate the owner of a public key. they are incapable of decrypting anything.
now, lets say the kitchensync.net bbs has a certificate/public/private key they use. i can encrypt stuff all day long with the public key (in the
certificate) and nobody but that bbs would ever be able to see it. remember the CA doesn't have the private key.
now, if a shitty CA decides to sign a certificate for kitchensync.net with a different public key, that's an entirely different thing. since suddenly someone else can pretend to be them, and they have a separate private key that can decrypt data encrypted with the fake certificate. but in no way does this mean that the real certificate or private key are no longer secure. you
can't decrypt stuff from the original with the new ones.
--- Mystic BBS v1.12 A47 2021/12/25 (Windows/32)
* Origin: cold fusion - cfbbs.net - grand rapids, mi