[Cryptography] hard to trust all those root CAs
Sandy Harris
sandyinchina at gmail.com
Tue Jul 22 11:04:47 EDT 2014
On Sun, Jul 20, 2014 at 7:04 AM, Lodewijk andré de la porte
<l at odewijk.nl> wrote:
> 2014-07-20 0:07 GMT+02:00 Jerry Leichter <leichter at lrw.com>:
>
>> The reason there are so many trusted CA's is that we can't have some
>> random browser maker deciding that a Chinese CA isn't trustworthy - that
>> violates Chinese sovereignty. (That a Chinese dissident might have very
>> strong feelings on this matter is just too bad.)
>
> That it's something China does not like, and doing something China does not
> like can be unwise, I can understand. But China's sovereignty is only
> affected when Chinese decide to use the violating browser. Which China can
> prevent, which makes it sovereign.
>
> There's some validity to the argument that you can't just not give China any
> root CA's. But there's no validity to the idea that it violates China's
> anything. If it makes me (Dutch) more secure, it should be so for me. Maybe
> we should introduce a separation of country and code? :P
What about restricting the Chinese CA to signing certs in .cn and imposing
similar restrictions on other CAs?
More information about the cryptography
mailing list