CA safety (Re: Microsoft supporting tyrants?)
sam at liddicott.com
Thu Mar 31 09:15:18 UTC 2011
On 31/03/11 09:59, Bernhard Reiter wrote:
> Am Freitag, 25. März 2011 17:36:51 schrieb Werner Koch:
>> Of course I assume that the user won't go over the list of root CAs and
>> delete almost all of them. Barely nobody does that.
> People have to be encouraged to do this and helped
> with lists and tools. It will raise the security bar a bit
> on this suboptimal system.
Not if the system also includes the human who needed the help.
If they need the help then they they can't manage or understand trust
and don't know how to respond to the untrusted warning messages they are
more likely to get having made the change.
If they aren't going to get any additional untrusted warning messages
then it won't make any difference what you do.
if they do get the messages it will be in response to sites that they
want to use. The change won't help them asses the validity of the site
certificate, and may increase their chance of being deceived.
So you've changed the system, but it is hard to show that you have made
it more secure.
More information about the Discussion