[Cryptography] The business of web hosting, was Commercial PKI as dog poop

[John Levine]

It appears that jrzx <jrzx at protonmail.ch> said:
>And the secrets underlying each of these certificates are
>located on the actual physical machine you connect to.
>
>And chances are those machines are located in a data center
>physically controlled by the bank with a security guard and
>a cam, and if they are located at some random unknown place
>in the cloud, root login is only possible with an ssh key
>whose secret is physically located in a computer somewhere
>in the bank's offices.

Once again, this is an Internet very much unlike the one the rest of us use.

I happen to own a server on which there are several dozen web sites for other
people.  They all have SSL certs.  The only person with the private keys is me
because I set them all up semi-automatically.  A few of the nerdier ones have
ssh access, but most use sftp or the web builder stuff in Wordpress.  The SSL
certs are stored with the Apache configuration, not with the content files so
even the ones who use ssh can't see the SSL keys.  This is a typical
way to set up shared hosting.

For my bank, the bank is in upstate NY but all of their web sites are
handled by their contractor somewhere in the midwest, and I am quite
certain the contractor manages the SSL certs, too.  They certainly manage
the cert that has the contractor's name on it.

R's,
John

PS: Whem Rich Salz tells you the way CDNs like Akamai work, you should
pay attention because, you know, he works there.