CA safety (Re: Microsoft supporting tyrants?)
Bernhard Reiter
reiter at fsfeurope.org
Thu Mar 31 08:59:44 UTC 2011
Am Freitag, 25. März 2011 17:36:51 schrieb Werner Koch:
> Of course I assume that the user won't go over the list of root CAs and
> delete almost all of them. Barely nobody does that.
People have to be encouraged to do this and helped
with lists and tools. It will raise the security bar a bit
on this suboptimal system.
Am Freitag, 25. März 2011 17:36:51 schrieb Werner Koch:
> Sure, though then I'd rather trust a root CA from the US or Germany
> then I would trust one from Libya. At least I can decide.
>
> You can't.
What I mean is, if I remove this root CA from my list of trusted roots.
Which is something I can do, I just need the information to do the decision,
which is currently missing in a well accessible and understandable form.
> A (say) Chinese root CA has the same level of
> trustworthiness as a German one. IIRC, there is a plugin which does
> some heuristics to decide whether a CA is plausible for a given URL, but
> that is merely a kludge to overcome obviously "faked" certificates.
Maybe it is an idea to implement further restrictions:
a) only trust specific subca
b) only give a range of TOP level domains to a root or subca
--
FSFE -- Deputy Coordinator Germany (fsfeurope.org)
Your donation makes our work possible: www.fsfeurope.org/help/donate.en.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.fsfe.org/pipermail/discussion/attachments/20110331/167d3412/attachment.sig>
More information about the Discussion
mailing list