[Cryptography] "Trust in digital certificate ecosystem eroding"
Andreas Junius
andreas.junius at gmail.com
Fri May 1 18:35:31 EDT 2015
On 01/05/15 18:38, Ben Laurie wrote:
> On 30 April 2015 at 23:34, Andreas Junius <andreas.junius at gmail.com> wrote:
>> I for example know exactly that I'll never need to trust TURKTRUST, because
>> I don't know Turkish.
>
> This idea is attractive, but incorrect. All CAs are empowered to issue
> certs for all domains. Although its likely that most certs issued by
> Turktrust are indeed for Turkish sites, it is by no means guaranteed
> to be true for all. What's more, Turks do speak English, amazingly, so
> even Turkish sites might be useful to English speakers.
You may have missed my point. What I wanted to say is that there are now
so many CA's that it is almost unmanageable. Therefore the average user
stopped to trust these "trusted entities" altogether and "trusts" now
for instance their browser vendor.
That is why e.g. Mozilla has clear directions of what to follow to get
into Firefox' trust-store.
In other words, the user trusts a third-party to pick the right
third-parties that we can trust...
This is not what pkix is about and this is the problem I wanted to
highlight. There is trust in some other entity that has no mandate
whatsoever for this, to solve a problem that wasn't obvious about 20
years ago when the system got introduced.
Andy
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
More information about the cryptography
mailing list