CA safety (Re: Microsoft supporting tyrants?)

Bernhard Reiter reiter at
Fri Mar 25 13:01:59 UTC 2011

Am Freitag, 25. März 2011 11:18:34 schrieb Werner Koch:
> On Fri, 25 Mar 2011 11:07, Torsten.Grote at said:
> > Because it is not as easy as collecting some hardware components and
> > because not as many people are intersted in the topic.
> And because such a list doesn't help.  In a browser all CAs are
> implicitly cross-certified.  Thus a single not that well managed CA sets
> the entire security level to its own. 

The list would help so that people can make a concious decision about
their minimum level of their set of root CAs. Yes, it is just one piece of the 
puzzle. In addition implementations must add more.

> Even if all CAs would technically 
> and organizational work at par I am pretty sure that a government or a
> bigcorp is able to convince its home CA to create a fraudulent certificate.

Sure, though then I'd rather trust a root CA from the US or Germany
then I would trust one from Libya. At least I can decide.

FSFE -- Deputy Coordinator Germany                            (
Your donation makes our work possible:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <>

More information about the Discussion mailing list