[Cryptography] "Trust in digital certificate ecosystem eroding"

Andreas Junius andreas.junius at gmail.com
Thu Apr 30 18:34:24 EDT 2015


Many people claim theses days that the system is broken. But I don't 
think it is the system that is broken but some organisations don't 
deserve the trust they ask for. And that's the general problem with 
trust; it has to be earned, not to be assigned by another third party 
(like a browser vendor or an operating system manufacturer).

I think that is the link where the system fails. We introduced that 
system of third parties issuing certificates to allow the user to limit 
the number of certificates to trust (otherwise they had to check every 
single certificate). But there are now thousands of CA's and it is now 
nearly impossible to trust all of them as an individual.

I don't know how to fix that problem. Maybe it could help to make it 
more visible to the average user. There are many truststores in a 
system, e.g. for the OS, Java, different browsers and maybe much more. 
It could be centralised and the user needs a GUI that allows them to 
import what they really trust (how can we trust a computer anyway - 
different issue).

It's really questionable to have a browser coming with a truststore 
containing hundreds of CA certs out of the box from all over the world. 
I for example know exactly that I'll never need to trust TURKTRUST, 
because I don't know Turkish. I could import it later if needed. So, one 
means of mitigation would be to have different truststores per country 
to be delivered with a browser or an OS to minimize the number of 
trusted CA's.

Andy










On 30/04/15 10:55, Jerry Leichter wrote:
> Summary:  The greater business world is starting to figure out just how untrustworthy today's CA system really is.
>
> http://www.fierceitsecurity.com/story/trust-digital-certicate-ecosystem-eroding/2015-04-28
>                                                          -- Jerry
>
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography


More information about the cryptography mailing list