[Cryptography] "Trust in digital certificate ecosystem eroding"

Andreas Junius andreas.junius at gmail.com
Fri May 1 18:35:31 EDT 2015

On 01/05/15 18:38, Ben Laurie wrote:
> On 30 April 2015 at 23:34, Andreas Junius <andreas.junius at gmail.com> wrote:
>> I for example know exactly that I'll never need to trust TURKTRUST, because
>> I don't know Turkish.
> This idea is attractive, but incorrect. All CAs are empowered to issue
> certs for all domains. Although its likely that most certs issued by
> Turktrust are indeed for Turkish sites, it is by no means guaranteed
> to be true for all. What's more, Turks do speak English, amazingly, so
> even Turkish sites might be useful to English speakers.

You may have missed my point. What I wanted to say is that there are now 
so many CA's that it is almost unmanageable. Therefore the average user 
stopped to trust these "trusted entities" altogether and "trusts" now 
for instance their browser vendor.

That is why e.g. Mozilla has clear directions of what to follow to get 
into Firefox' trust-store.

In other words, the user trusts a third-party to pick the right 
third-parties that we can trust...

This is not what pkix is about and this is the problem I wanted to 
highlight. There is trust in some other entity that has no mandate 
whatsoever for this, to solve a problem that wasn't obvious about 20 
years ago when the system got introduced.



More information about the cryptography mailing list