[Cryptography] "Trust in digital certificate ecosystem eroding"
Howard Chu
hyc at symas.com
Sat May 2 05:00:45 EDT 2015
Bill Frantz wrote:
> On 5/1/15 at 3:34 PM, andreas.junius at gmail.com (Andreas Junius) wrote:
>
>> ... But there are now thousands of CA's and it is now nearly
>> impossible to trust all of them as an individual.
>>
>> I don't know how to fix that problem. Maybe it could help to make it
>> more visible to the average user.
>
> One thing that might help is to display, by default or simple UI action,
> the trust chain. E.g. "Verisign.com says that this page is from
> WellsFargo.com." The CAs should like it since it puts their brand in
> front of users. It also might make organizations reluctant to change CAs.
>
> If I ran the zoo, I would phrase the display of intermediate CAs so the
> top level CA accepted responsibility for their behavior. E.g.
> "CACert.com says that Citi.com says that this page is from
> CitiTrustManagement.com."
I would start by shipping all the currently bundled CAs in disabled
state. Every time you hit a new web site, prompt for whether to trust
it's chain or not, and also display a counter of how many times you have
trusted a site using this CA. I.e., I want to know how many of the
thousands of CAs being shipped are actually useful in my own browsing
patterns. The rest have no business being enabled in the first place.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
More information about the cryptography
mailing list