CA safety (Re: Microsoft supporting tyrants?)
Werner Koch
wk at gnupg.org
Fri Mar 25 16:36:51 UTC 2011
On Fri, 25 Mar 2011 14:01, reiter at fsfeurope.org said:
> The list would help so that people can make a concious decision about
> their minimum level of their set of root CAs. Yes, it is just one piece of the
> puzzle. In addition implementations must add more.
There is no need to make such a decision. The browser already made
the decision by including that many root CAs. It doesn't matter which
one you use - use the cheapest one it you want one at all.
Of course I assume that the user won't go over the list of root CAs and
delete almost all of them. Barely nobody does that.
> Sure, though then I'd rather trust a root CA from the US or Germany
> then I would trust one from Libya. At least I can decide.
You can't. A (say) Chinese root CA has the same level of
trustworthiness as a German one. IIRC, there is a plugin which does
some heuristics to decide whether a CA is plausible for a given URL, but
that is merely a kludge to overcome obviously "faked" certificates.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Discussion
mailing list