[Cryptography] The business of web hosting, was Commercial PKI as dog poop

[John Levine]

It appears that jrzx <jrzx at protonmail.ch> said:
>On Saturday, May 15, 2021 6:56 PM, John Levine <johnl at iecc.com> wrote:
>> For my bank, the bank is in upstate NY but all of their
>> web sites are handled by their contractor ...

>And if their contractor does indeed control their secrets,
>then were he to stuff their certs into a CDN, which he did
>not, then not only would their contractor have control, and
>they not have control, but no end of unknown people and
>machines between the machine servicing their web pages,
>and the machine holding the secrets controlling their
>certs, would also have control.

I don't think "control" means what you think it means.  

A bank or any organization has a bunch of employees and contractors
whose roles and authorities are defined by law and contract and to
some extent custom. It's not like the cryptopunk simpleverse where
someone has full "control" over something or none at all.

There are a few people, probably at the contractor, who have access to
the private keys for my bank's certs but they do not "control" the
certs in any meaningful sense.  Imagine that one of them took the key
and set up a competing web site, and guess how well that would work.

To point out the obvious, this complex contractual setup actually works.
I can deposit a check on the web site with the cert issued to the contractor
and the next day walk down to the bank where they will give me cash (and my
dog a biscuit.)

To point out the also obvious, this highlights why cryptocurrencies with
immutable blockchains and no way to reverse mistaken or fraudulent
transactions don't match the way the rest of the world works.

R's,
John