[Cryptography] Fwd: hard to trust all those root CAs

manning bmanning at karoshi.com
Tue Jul 22 22:21:14 EDT 2014


Begin forwarded message:

> From: manning bill <bmanning at isi.edu>
> Subject: Re: [Cryptography] hard to trust all those root CAs
> Date: July 22, 2014 at 19:14:55 PDT
> To: Sandy Harris <sandyinchina at gmail.com>
> Cc: Cryptography <cryptography at metzdowd.com>
> 
> just for fun,  replace “china” with “christian” and “dutch” with “jewish”
> and see if this still makes sense..
> 
> 
> /bill
> PO Box 12317
> Marina del Rey, CA 90295
> 310.322.8102
> 
> On 22July2014Tuesday, at 8:04, Sandy Harris <sandyinchina at gmail.com> wrote:
> 
>> On Sun, Jul 20, 2014 at 7:04 AM, Lodewijk andré de la porte
>> <l at odewijk.nl> wrote:
>> 
>>> 2014-07-20 0:07 GMT+02:00 Jerry Leichter <leichter at lrw.com>:
>>> 
>>>> The reason there are so many trusted CA's is that we can't have some
>>>> random browser maker deciding that a Chinese CA isn't trustworthy - that
>>>> violates Chinese sovereignty.  (That a Chinese dissident might have very
>>>> strong feelings on this matter is just too bad.)
>>> 
>>> That it's something China does not like, and doing something China does not
>>> like can be unwise, I can understand. But China's sovereignty is only
>>> affected when Chinese decide to use the violating browser. Which China can
>>> prevent, which makes it sovereign.
>>> 
>>> There's some validity to the argument that you can't just not give China any
>>> root CA's. But there's no validity to the idea that it violates China's
>>> anything. If it makes me (Dutch) more secure, it should be so for me. Maybe
>>> we should introduce a separation of country and code? :P
>> 
>> What about restricting the Chinese CA to signing certs in .cn and imposing
>> similar restrictions on other CAs?
>> _______________________________________________
>> The cryptography mailing list
>> cryptography at metzdowd.com
>> http://www.metzdowd.com/mailman/listinfo/cryptography
> 



More information about the cryptography mailing list