[Cryptography] "Trust in digital certificate ecosystem eroding"

Howard Chu hyc at symas.com
Sat May 2 05:00:45 EDT 2015

Bill Frantz wrote:
> On 5/1/15 at 3:34 PM, andreas.junius at gmail.com (Andreas Junius) wrote:
>> ...  But there are now thousands of CA's and it is now nearly
>> impossible to trust all of them as an individual.
>> I don't know how to fix that problem. Maybe it could help to make it
>> more visible to the average user.
> One thing that might help is to display, by default or simple UI action,
> the trust chain. E.g. "Verisign.com says that this page is from
> WellsFargo.com." The CAs should like it since it puts their brand in
> front of users. It also might make organizations reluctant to change CAs.
> If I ran the zoo, I would phrase the display of intermediate CAs so the
> top level CA accepted responsibility for their behavior. E.g.
> "CACert.com says that Citi.com says that this page is from
> CitiTrustManagement.com."

I would start by shipping all the currently bundled CAs in disabled 
state. Every time you hit a new web site, prompt for whether to trust 
it's chain or not, and also display a counter of how many times you have 
trusted a site using this CA. I.e., I want to know how many of the 
thousands of CAs being shipped are actually useful in my own browsing 
patterns. The rest have no business being enabled in the first place.

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

More information about the cryptography mailing list