CA safety (Re: Microsoft supporting tyrants?)

Bernhard Reiter reiter at
Thu Mar 31 08:59:44 UTC 2011

Am Freitag, 25. März 2011 17:36:51 schrieb Werner Koch:
> Of course I assume that the user won't go over the list of root CAs and
> delete almost all of them.  Barely nobody does that.

People have to be encouraged to do this and helped
with lists and tools. It will raise the security bar a bit
on this suboptimal system.

Am Freitag, 25. März 2011 17:36:51 schrieb Werner Koch:
>  Sure, though then I'd rather trust a root CA from the US or Germany
>  then I would trust one from Libya. At least I can decide.
> You can't. 

What I mean is, if I remove this root CA from my list of trusted roots.
Which is something I can do, I just need the information to do the decision, 
which is currently missing in a well accessible and understandable form.

> A (say) Chinese root CA has the same level of 
> trustworthiness as a German one.  IIRC, there is a plugin which does
> some heuristics to decide whether a CA is plausible for a given URL, but
> that is merely a kludge to overcome obviously "faked" certificates.

Maybe it is an idea to implement further restrictions:
a) only trust specific subca
b) only give a range of TOP level domains to a root or subca

FSFE -- Deputy Coordinator Germany                            (
Your donation makes our work possible:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <>

More information about the Discussion mailing list