[Cryptography] "Trust in digital certificate ecosystem eroding"
Andreas Junius
andreas.junius at gmail.com
Thu Apr 30 18:34:24 EDT 2015
Many people claim theses days that the system is broken. But I don't
think it is the system that is broken but some organisations don't
deserve the trust they ask for. And that's the general problem with
trust; it has to be earned, not to be assigned by another third party
(like a browser vendor or an operating system manufacturer).
I think that is the link where the system fails. We introduced that
system of third parties issuing certificates to allow the user to limit
the number of certificates to trust (otherwise they had to check every
single certificate). But there are now thousands of CA's and it is now
nearly impossible to trust all of them as an individual.
I don't know how to fix that problem. Maybe it could help to make it
more visible to the average user. There are many truststores in a
system, e.g. for the OS, Java, different browsers and maybe much more.
It could be centralised and the user needs a GUI that allows them to
import what they really trust (how can we trust a computer anyway -
different issue).
It's really questionable to have a browser coming with a truststore
containing hundreds of CA certs out of the box from all over the world.
I for example know exactly that I'll never need to trust TURKTRUST,
because I don't know Turkish. I could import it later if needed. So, one
means of mitigation would be to have different truststores per country
to be delivered with a browser or an OS to minimize the number of
trusted CA's.
Andy
On 30/04/15 10:55, Jerry Leichter wrote:
> Summary: The greater business world is starting to figure out just how untrustworthy today's CA system really is.
>
> http://www.fierceitsecurity.com/story/trust-digital-certicate-ecosystem-eroding/2015-04-28
> -- Jerry
>
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
More information about the cryptography
mailing list