Oh, and obvs to me but not to everyone: the first failure mode of public key infrastructure is failure to authenticate a good actor; the second failure mode is authentication of an evil actor; the third failure mode is that revocation of authentication is really really hard, and the fourth is that all secrets leak. Five: asking permission takes too long, so default-deny becomes default-allow-if-authenticated.
The end result is that not only does every traffic engineer in every small town have the keys to change all the traffic lights in town, but they also share keys with the people one town over, and they send them through email, and keys from people who have moved to other jobs are valid ten years later...
The only reason we don't have traffic apocalypse now is (a) people notice when lights are funky, and they complain and (b) you can't do it remotely except in a few hardwired cities where you can't do it arbitrarily remotely.
no subject
The end result is that not only does every traffic engineer in every small town have the keys to change all the traffic lights in town, but they also share keys with the people one town over, and they send them through email, and keys from people who have moved to other jobs are valid ten years later...
The only reason we don't have traffic apocalypse now is (a) people notice when lights are funky, and they complain and (b) you can't do it remotely
except in a few hardwired cities where you can't do it arbitrarily remotely.