CA safety (Re: Microsoft supporting tyrants?)

Sam Liddicott sam at
Thu Mar 31 09:15:18 UTC 2011

On 31/03/11 09:59, Bernhard Reiter wrote:
> Am Freitag, 25. März 2011 17:36:51 schrieb Werner Koch:
>> Of course I assume that the user won't go over the list of root CAs and
>> delete almost all of them.  Barely nobody does that.
> People have to be encouraged to do this and helped
> with lists and tools. It will raise the security bar a bit
> on this suboptimal system.

Not if the system also includes the human who needed the help.

If they need the help then they they can't manage or understand trust 
and don't know how to respond to the untrusted warning messages they are 
more likely to get having made the change.

If they aren't going to get any additional untrusted warning messages 
then it won't make any difference what you do.

if they do get the messages it will be in response to sites that they 
want to use. The change won't help them asses the validity of the site 
certificate, and may increase their chance of being deceived.

So you've changed the system, but it is hard to show that you have made 
it more secure.


More information about the Discussion mailing list