CA safety (Re: Microsoft supporting tyrants?)

Werner Koch wk at
Fri Mar 25 16:36:51 UTC 2011

On Fri, 25 Mar 2011 14:01, reiter at said:

> The list would help so that people can make a concious decision about
> their minimum level of their set of root CAs. Yes, it is just one piece of the 
> puzzle. In addition implementations must add more.

There is no need to make such a decision.  The browser already made
the decision by including that many root CAs.  It doesn't matter which
one you use - use the cheapest one it you want one at all.

Of course I assume that the user won't go over the list of root CAs and
delete almost all of them.  Barely nobody does that.

> Sure, though then I'd rather trust a root CA from the US or Germany
> then I would trust one from Libya. At least I can decide.

You can't.  A (say) Chinese root CA has the same level of
trustworthiness as a German one.  IIRC, there is a plugin which does
some heuristics to decide whether a CA is plausible for a given URL, but
that is merely a kludge to overcome obviously "faked" certificates.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Discussion mailing list