True.

> The problem is how does the client know he's encrypting to the correct public key? He has to have something stored giving him the key in advance or telling him how to authenticate the public key he's asked to use.

True again. In the SSL/TLS, this is the "trusted roots" certificates, that the browser was created with.

Why wouldn't the PS3 have a "trusted root" as such?

> This is how the protocol messages were decrypted. The hackers modified their own console to trust a new public key, one to which they had the private key.

Cool. But that doesn't let them decode _other_ clients' transmissions -- much like putting a new root certificate in your own browser doesn't make a session less secure for anyone else.

Sony made many mistakes here, most of them due to either extreme hubris or extreme incompetence.

My understanding is that they have a trusted root store like any browser. Probably revocation doesn't work so hot either.

The certs presented by a couple of servers I looked at were issued by Verisign and Comodo. https://www.ssllabs.com/ssldb/analyze.html?d=auth.np.ac.play... https://www.ssllabs.com/ssldb/analyze.html?d=store.playstati...

But that doesn't let them decode _other_ clients' transmissions -- much like putting a new root certificate in your own browser doesn't make a session less secure for anyone else.

Right, we don't know that's happened yet, except we hear that Sony's backend systems were compromised too. That could be completely unrelated, or the client and server hacks could combine in a way that makes every PS3 compromised. I find it an interesting question but we probably have to wait for more details from Sony.